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INFORMATION AND DISPLAY REQUIREMENTS 
FOR INDEPENDENT LANDING MONITORS 

By J.S. Karmarkar and J.A. Sorensen 
Systems Control, Inc. 


I. INTRODUCTION 

There are major economic reasons for providing the capability 
of all-weather operations to most National Airspace users. The 
fact that airports are frequently closed or operating at reduced 
capacity because of low visibility is a primary source of lost 
revenue and increased operating cost. Prolonged holding patterns 
and diversions to alternate airports increase fuel usage, labor 
costs, and aircraft inefficiency. These delays also diminish user 
good will, and in some cases, cause the customer to seek alternate 
means of transportation. These economic considerations have moti- 
vated a concentrated effort on the part of the appropriate govern- 
ment agencies- -National Aeronautics and Space Administration, the 
Federal Aviation Administration, and the Department of Defense- - 
to sponsor the development of all-weather landing capability [1-4]. 

Increasing the number of IFR operations and improvements in 
IFR efficiency are being accomplished through the development of 
advanced onboard avionics (automatic landing system. Category III 
ILS) . But using these advanced systems during low visibility im- 
plies that more precautions must be taken to ensure flight safety. 
In order for the pilot to accept fully the new equipment capability 
which allows him to land in low visibility conditions, he must be 
reasonably satisfied that his chances of safe landing are at least 
as great as under VFR conditions. 

The ability of different users to pay different amounts for 
all-weather avionics equipment has resulted in varying degrees of 


IFR landing capability in the respective aircraft fleets. These 
range from Category I (where there must be at least a 61 m (200 
feet) altitude visibility ceiling) to Category IIIc (where the 
landing is essentially blind). Aircraft avionics must be certi- 
fied to be allowed to land under each of these categories, and the 
certification procedures ensure that the appropriate measures of 
system safety (probability of catastrophic accident) are adequate- 
ly met. For Category I conditions, the avionics must allow the 
pilot to get below 200 feet and be satisfactorily lined up with 
the runway for a manual landing. For Category Ilia operation, 
present landing systems have utilized automatic landing to pass 
certification requirements. To meet these requirements currently 
necessitates that the automatic landing (autoland) system have 
multiple component redundancy to guard against failure. 

Avionics system improvements which have been suggested to 
improve all-weather landing capability include development of 
provisions for the following: (1) allow landing with lower visi- 
bility limits, and (2) use the pilot's monitoring ability to 
reduce the necessary complexity of the automatic landing systems. 
These desired improvements have produced the need for re-examina- 
tion of the potential role of the Independent Landing Monitor 
(ILM) . Such a device would obtain independent information about 
the state of the aircraft relative to the runway to allow the 
pilot to assess the performance of the landing operation. 

The ILM actually has several envisioned uses and several 
associated configurations. The ILM uses include providing the 
crew with information to: 

1. Allow lowering the visibility minimums while maintain- 
ing the present-day levels of safety. 
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2. Allow the pilot to determine whether an anomaly has occur 
red in the onboard guidance system or the ground-based 
ILS or MLS signal during the landing phase. This infor- 
mation includes the decision of whether manual landing 

or manual go-around should be attempted. 

3. Guide the aircraft for manual landing or go-around in 
case of takeover during flight. 

4. Guide the aircraft in case of fault during ground roll 
or takeoff. 

5. Detect faults or pilot blunders during the approach phase 


Thus, the ILM can potentially improve aircraft operational economy 
by allowing more operations in low visiblity conditions and by 
reducing the required autoland equipment redundancy such that the 
initial investment and the recurring maintenance costs would be 
reduced. However, if the ILM is to be used to realize these cost 
savings, it must be shown that the resulting level of operational 
safety is at least equivalent to that of today's systems. 


Previous Developments 

The previous work on the ILM has mainly focused on the devel- 
opment of sensors to provide a perspective view of the terrain 
ahead of the aircraft. The idea was that if an adequate display 
could be developed, this information could substitute for the 
normal visual cues such that a low visibility approach could be 
executed. 

An early implementation of a landing monitor (for ILS ap- 
proaches) was the Bendix Microvision System [5] tested on a C-131 
at Wright-Patterson Air Force Base, Ohio in 1961. One of the 
main technical problems with the early Microvision System was that 
the system required the installation of active transponders on 
the runway surface, which would require international agreement 
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and installation and maintenance costs. Secondly, to produce a 
coincident image o£ the runway, using a radar return stabilized 
by means of the existing commercial quality attitude gyroscopes, 
was technically impossible at that time. The distraction to the 
pilot of a runway image (formed by the transponders) moving around 
over the real world runway was more than enough, by itself, to 
discourage further development. Lastly, there was a growing 
awareness of the difficulty of providing pilot performance con- 
sistency to an adequately high confidence level. 

The Lockheed ILM development utilizing a Texas Instruments 
radar [6] was based primarily upon the premise that pilot confi- 
dence in a completely automatic landing system for use in lower 
than Category II visibility might well need "boosting” by visibil- 
ity enhancement of the runway. The purpose of the ILM was to pro- 
vide high resolution radar mapping of the runway during Categories 
I, II, or III automatic approach and landings. The reason for 
landing monitor independence was to simplify the failure analysis 
by avoiding any interconnection between the ILM and the automatic 
approach and landing system. Moreover, the historically long time 
lapse between establishing a requirement for a new universal ground 
aid, its adoption by ICAO, and its universal implementation also 
encouraged independence. The Lockheed ILM concept was a go/no-go 
monitor for the autoland system rather than an independent flight 
director. Its intent was to allow the pilot to judge whether or 
not the landing was proceeding satisfactorily. The Lockheed ILM 
development was not completed partially because of indecision on 
its final role and benefits. 
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In contrast to the forward looking radar ILM developed for Lock- 
heed, the concept [performance and failure assessment monitor 
(PAFAM) ] proposed and implemented by McDonnell-Douglas was strictly 
a hardware monitor receiving inputs from the primary autoland sys- 
tem [7] . Based on internal models relating to the proper function- 
ing of the key subsystems of the autoland system, the monitor made 
an assessment of the total performance and failure state of the air- 
craft system in terms of a predicted touchdown point. The underly- 
ing objective of this concept was to assist the pilot in making 
go/no-go decisions under pressure and in face of landing uncertainty. 
The goal of the system was to design the performance monitor to re- 
duce the landing risk without imposing an unacceptable economic pen- 
alty in the number of aborted approaches. The PAFAM system, though 
conceptually attractive, has not met with wide acceptance by the 
airline industry. The principal difficulty lies in the fact that 
in the current implementation, it is very difficult to assure the 
integrity of the primary autoland system in the presence of exist- 
ing interconnections with the PAFAM system. 

During the course of other studies of the potential role and 
benefits of a perspective display as an ILM, simulator based experi- 
ments were conducted for each phase of flight in the terminal 
area [8] . These studies concluded that although a number of flight 
parameters are useful in assessing system performance, the usage 
of a perspective runway display is not essential. 


Objectives and Scope of Study 

To determine if the ILM potential can be realized, it is even- 
tually necessary to develop demonstration models for testing either 
in flight or in a cockpit simulator. To develop these models, it 
was first necessary to: (1) determine current and potential sensor 

capabilities, from a technological point-of-view, applicable to 
ILM mechanization, and (2) determine how sensor measurements should 
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be processed in an ILM and displayed to the crew for flight evalu- 
ation. The first item (which was the subject of a separate study) 
will be combined with the second item (documented in this study 
report) to formulate ground based cockpit simulator experiments 
leading to ILM flight test. 


The specific objectives of this study were as follows [2]: 


(1) First, the various potential applications of an ILM were 
to be reviewed and reduced to a set that was most appro- 
priate in terms of future development. The complete 
objective here was to define the ILM functions, and to 
determine the information (type and reliability) that is 
required by the pilot and crew for the realization of 
each of these functions. 

(2) Next, various ways the ILM could be mechanized (in terms 
of sensor measurement processing and display) were to be 
considered. This required assessing different concepts 
of how faults could be detected, how the information 
could be displayed to pilot/crew, and what different 
crew procedures would be required to execute each of the 
flight options that the ILM could indicate. 

(3) The final objective was to recommend which ILM concepts 
should be studied in further detail. 


The first objective, defining the ILM applications, was done 
in terms of operational implications and hardware (sensors, pro- 
cessor, display) requirements. These definitions then allowed the 
ILM applications, which could be evaluated by analytical techniques 
(as opposed to cockpit simulator), to be selected for further 
study. These included providing: (1) backup fault monitoring of 
the primary autoland system, and (2) manual backup guidance in the 
event of a fault. The types of information possibly required in the 
ILM to mechanize these applications include: 

(1) status of the aircraft states, 

(2) whether a fault or anomaly has occurred, 

(3) the type of anomaly. 
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(4) x^^hat action the pilot and crew should take, and 

(5) guidance information for conducting that action. 

The reliability requirements of this information were determined 
by conducting a safety analysis. 

The second objective, determining how to mechanize these ILM 
applications, required conducting the following investigations: 

(1) Determining how a fault could be detected and possibly 
discriminated from independent aircraft state measure- 
ments . 

(2) Determining how long it takes to recovery manually from 
a perturbed condition after a fault has been detected. 

(3) Determining the appropriate fault recovery strategy as 
a function of aircraft altitude. 

(4) Specifying alternate ways this strategy and the associ- 
ated guidance requirements could be displayed to the 
crew. 

These investigative requirements thus formulated a systematic pro- 
cedure for determining information and display requirements of the 
ILM and analyzing landing systems. 

The approach used to conduct this study then consisted of five 
steps that were quite interrelated. These steps are shown as an 
iterative process by the flow chart shown in Figure 1. Before us- 
ing this procedure, it was necessary to define (in terms of analy- 
tical models) elements of the aircraft/autoland/MLS/operating 
environment that need to be considered when developing the ILM. 

In addition, the possible uses of the ILM were defined in detail. 
However, the flight system and the terminal area flight profile are 
complex, and because of the limited effort possible, the study con- 
centrated primarily on use of the ILM during the final landing por- 
tion of flight [300 m (1000 feet) altitude down to touchdown]. 
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FIGURE 1. - OVERVIEW OF APPROACH USED TO ESTABLISH INFORMATION AND 
DISPLAY REQUIREMENTS OF AN INDEPENDENT LANDING MONITOR 


With the operating scenario and flight system defined, speci- 
fying the constraints under which an ILM must operate was the first 
step of the analysis. The basic constraint is that landing safety 
must be preserved; the system using the ILM must improve landing 
capability with equivalent flight safety. The associated safety 
constraints on the ILM were determined using a probability tree 
with probabilities of different events (such as autoland fault, 
severe wind gusts, ILM failure) included. The result was a speci- 
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fication of the accuracy and reliability levels required for the 
ILM. 


The initial function of the ILM is to detect system faults 
(autoland, MLS, or severe winds) such that the crew can be warned. 
Thus, the second step was to determine how the faults could be 
detected by ILM software and what the associated timing require- 
ments (time -to -detect fault) were. This phase of the study used 
the safety budget values specified in the previous step. 

After a fault has been detected, it is important to know how 
long it takes for manual recovery to allow a safe go-around or the 
continuation of the landing sequence. The third step of the study 
was to determine fault recovery time (time-to-correct) from vari- 
ous error states. This recovery time is fundamental to the deter- 
mination of what crew strategy (go-around or continue the landing) 
should be used, given that a fault has been detected. The strategy 
is selected that yields the maximum safety on a probabilistic 
basis . 

The fourth step was to combine time- to-detect and time-to- 
correct results to define the envelope around the landing flight 
path within which fault recovery is possible from a safety point- 
of-view. This envelope is used to determine from what altitudes 
fault recovery can be made safely and what the associated recovery 
strategy should be as a function of altitude. The third, fourth, 
and fifth steps just described define functionally the data pro- 
cessing requirements of the ILM, what measurements (ILM inputs) 
are necessary, how accurate the measurements should be, and what 
uses can be made of the ILM during the landing phase as a backup 
to automatic landing. 

The fifth step of the study was to examine different ways 
the information from the ILM could be presented to the crew. Both 
alphanumeric (performance monitoring and fault recovery command) 
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and pictorial (aircraft state and guidance information) displays 
were considered. Associated crew procedures that would make use 
of these displays was also specified. 

After these five steps were completed, a series of recommen- 
dations was made concerning what the next steps should be in 
investigating the potential of the ILM. Recommendations include 
the development of experimental ILM designs which are suitable 
for simulator and flight testing. The system description, the 
material developed in the five steps, and the resulting recommen- 
dations are the subjects of the next seven chapters of this 
report. 


In summary, this report is organized as follows: 


1. The second chapter presents the terminal area operating 
scenario in terms of economic factors, approach trajec- 
tories, navigation aids, aircraft types, avionics, and 
crew procedures. ILM application details and the main 
premises on which this study is based are also presented. 

2. The third chapter presents the system safety budget 
analysis as a basis for: (a) justifying the incorpora- 
tion of an ILM into the primary autoland system, (b) 
determining the fault detection equipment performance 
requirements, and (c) formulating the optimum post fault 
crew recovery procedure sequence (i.e., ILM strategy). 

3. The fourth chapter discusses the investigation of fault 
detection and discrimination algorithms (consistent with 
the main premises of the study) to meet the system safety 
specifications previously generated. The specific algo- 
rithm studied in detail consists of a combination of the 
statistical chi-square (x^) test and the Student's (t) 
test. Computer simulation results are presented to 
validate the analytical computations performed. 

4. The fifth chapter deals with the fault recovery per- 
formance of the system using available pilot models and 
the covariance propagation technique. Starting with 
the system state manifold at fault detection, this phase 
of the study determines the recovery time required to 
bring the system state manifold within acceptable limits, 
from a safety point-of -view. 
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5. The sixth chapter brings together the safety budget, 
fault detection and discrimination, and fault recovery 
analyses to assess total time to recovery from a fault. 

The results are used to generate the ILM strategy (in 
terms of crew procedures) for the landing phase of flight. 
Then, two display configurations are presented which can 
be used to provide necessary information to the crew. 

6. The seventh chapter summarizes the study results from 
the viewpoint of system safety, fault detection/discrim- 
ination, fault recovery, system implementation and ILM 
usage strategy. The main areas requiring further 
research are described, and a simulator/flight test 
validation plan is recommended. 

7. Appendices A, B, and C present technical details used in 
the second through fifth chapters. 


The reader who wishes to skip the study details can directly 
peruse the summary and conclusions presented in the seventh 
chapter. 
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II. BACKGROUND 


This chapter provides necessary background concerning the flight 
system and terminal area environment in which the ILM must operate. 
Also, different applications of the ILM are summarized, and specific 
applications studied in this effort are explained. The material in 
this chapter affects the methodology used throughout the study. Nec- 
essary subsystem details are discussed and definition of hardware 
and software constraints used to specify system requirements are 
given . 

An overview is first given of the relationship of the elements 
in the flight system. Then, details are presented of the terminal 
area environment, associated crew procedures, autoland system con- 
siderations, and microwave landing system considerations. The 
ILM applications are presented in terms of what the corresponding 
general information and display requirements are. The operational 
implications of each application are listed, and justification is 
given for the specific applications evaluated in this study. 


Overview 

The terminal area environment can be described in flow chart 
form as in Figure 2. The total system includes the aircraft, auto- 
land system, aircraft state sensors, airborne displays, ground land- 
ing aids, air traffic control, the runway and surrounding terrain, 
wind, pilot, and the ILM. The ILM consists of airborne sensors, a 
data processor, associated displays and monitoring instrumentation, 
and possibly ground based aids. 

Based on the command and advisory information presented to the 
pilot through cockpit displays, instruments, and monitors, either 
manual or automatic control of the aircraft is used. The pilot and 
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crew's decision making process is aided by vestibular motion cues 
and out-o£-window visual cues. Under ceiling and visibility unlim- 
ited ‘(CAVU) weather conditions , the pilot can execute a "successful" 
manual landing with these cues alone- On the other hand, under 
low visibility conditions, these cues are misleading and partially 
or totally lacking the required information content. The pilot and 
crew currently do not have display capabilities required for exe- 
cuting a "safe" manual landing under these conditions. 

A "safe" manual landing is a process in which the probability 
of a catastrophic accident occurring is very small (e.g., 10“^). 
Technical details pertaining to this probabilistic analysis are de- 
veloped in Appendix A. Because such a level of safety cannot be 
met when the aircraft is under manual control in low visibility, 
this has led to the development of the automatic landing system. 
Different types of autoland systems with different levels of redun- 
dancy and reliability have been developed, which are discussed 
shortly. Because different levels of reliability are present, each 
of these systems is certified to operate in different weather condi- 
tions. For example, an autoland system certified for Category II, 
will allow the aircraft to be automatically flown down to 30m 
(100 feet) altitude. At that point, the pilot must establish vis- 
ual contact with the runway for monitoring purposes to allow the 
autoland to proceed with the landing or to execute a go-around. A 
Category III autoland system is certified to be operational down 
to touchdown. 

Associated with each type of autoland system, there exists 
different applications of the Independent Landing Monitor. The 
benefits that these applications can produce are as follows: 

1. Increased landing performance-- The ILM can compliment the 
autoland system such that landing can take place in lower 
visibility conditions than what the autoland system opera- 
ting alone is certified for. This can be accomplished 
because the ILM provides additional monitoring capability 
of the flight system to the pilot- This increases the 
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level o£ safety and allows the aircraft to be flown auto- 
matically to a lower altitude before visual contact with 
the runway must be made. 

2. Increased safety -- The ILM can be used to detect out-of- 
tolerance wind gusts or other aircraft on the runway that 
the autoland sensors cannot do. Thus, additional safety 
is provided to the system. In addition, these features 
serve the pilot as confidence builders in the autoland 
system. 

3. Reduced redundancy -- Several autoland systems discussed 
later have a high degree of subsystem redundancy to ensure 
that the probability of failure in flight is acceptably 
low. To maintain this redundant equipment is expensive. 

The ILM can potentially reduce the required redundancy by 
taking advantage of the sensing and monitoring capabilities 
of the pilot and crew. By providing sufficient information 
to the crew, the ILM enables using a less redundant primary 
autoland; this reduces both the initial investment and the 
subsequent equipment maintenance costs. 


Thus, there are three factors which must be considered when analyz- 
ing the ILM and its applications - landing performance, safety, 
and equipment redundancy. In the subsequent sections, the elements 
of Figure 2 are considered in terms of these three measures. These 
measures also dictate the constraints placed upon the information 
and display requirements for the Independent Landing Monitor. 


Terminal Area Environment And Crew Procedures 

The terminal area environment can be described in a graphical 
fashion as in Figure 2. The total terminal area environment consists 
of the aircraft/autoland system with the associated airborne sensors 
for navigation and control, the ground based navigation aids (e.g., 
MLS, ILS) , and the air traffic control system (ATC) . The purpose 
of the ATC system is to schedule the aircraft in the landing queue, 
report pertinent data such as weather, runway visual range (RVR) , 
wind and other traffic.. 
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The number of terminal area parameters that in some way affect 
the ILM system concept is rather large. Table 1 summarizes the 
principal aspects of the terminal area flight path, atmospheric con- 
ditions, pilot/crew procedural considerations, landing characteris- 
tics and airport characteristics. These and other considerations 
must be investigated prior to the actual deployment of any ILM sys- 
tem. 


Terminal area flight path .- A typical terminal area flight 
path consists essentially of an initial, intermediate and final 
approach segment as shown in Figures 3 and 4, A procedure turn is 
used to transition from the initial to the intermediate segment, 
as shown in Figure 3 [9] . The vertical profile for the final 
approach segment is depicted in Figure 4. This figure also shows 
the obstacle clearance line (OCL) and missed approach line (MAL) , 
in the vertical plane, above which the aircraft must remain during 
the final approach and missed approach, respectively. The corres- 
ponding obstacle clearance slopes in the lateral plane are 12:1 with 
respect to the runway centerline for both approaches. These clear- 
ance requirements are related to the total system safety as discus- 
sed in the next chapter. 

Under low visibility conditions, the roll out portion of the 
aircraft path must be considered with respect to roll out guidance 
and control. This phase of flight essentially involves a changeover 
from aerodynamic control to nose wheel control with the objective 
being to follow the runway centerline. 

To conduct a detailed ILM requirements study, each portion of 
this flight path must be considered. For the purposes of the 
present study, it was considered adequate to model only the landing 
segment, shown in Figure 4. This is justified later. The methodol- 
ogy for conducting a detailed analysis of the entire terminal area 
flight profile is included in Appendix B. 


17 



TABLE 1 . - TERMINAL AREA PARAMETERS 


ELEMENTS 

PRINCIPAL ASPECTS 

Terminal Area 
Flight Path 

• Landing Pattern (3D, 4D, Curved 
Decelerating) 

• Special Flight Procedures 
(Procedure Turns, Merge Points) 

• Ground Roll Procedures 

Atmospheric 

Conditions 

• Steady Winds 

• Wind Shear 

• Wind Turbulence 

• Altitude, Temperature, Pressure 

• Snow, Fog, Visibility 

Pilot/Crew 

• Aircraft Control Tasks 

• Monitoring/Decision-Making 

• Available Cues - Visual, 
Vestibular, Aural 

• Other Work Items 

• Crew Physical Status 

Landing 

Characteristics 
(MLS, ILS, Lights) 

• Gain Variation and Offsets 

• Transient Due to Overflights 

• Ground Station Failures 

• Light Pattern/ Intensity 

Airport 

Characteristics 

• Runway Gradients and Roughness 
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• Tire-Runway Friction 

1 








FIGURE 3. -TYPICAL TERMINAL AREA 
TRAJECTORY [9] 



FIGURE 4. -TYPICAL FINAL 




Nomenclature 

DH 

Decision Height 

FAC 

Final Approach Course 

FAF 

Final Approach Fix 

GPI 

Ground Point of 


Intercept 

IF 

Intermediate Fix 

MAL 

Missed Approach Line 

MAP 

Missed Approach Point 

MDA 

Minimum Descent 


Altitude 

OCL 

Obstacle Clearance Line 

OM 

Outer Marker 

TCH 

Threahold Clearance 


Height 



Appropriate 




SEGMENT [9] 







Atmospheric Conditions 


The certification requirements for commercial transport air- 
craft (far 25 and FAR 121) to operate under Category II and Category 
Ilia conditions have been defined by the FAA [10-12]. Terminal area 
operations in terms of runway availability and aircraft spacing are 
larg,ely influenced by the weather category, as defined in Table 2 
[9] , The airport weather category is determined mainly by the run- 
way visual range (RVR) , which is measured by ground based sensors 
and relayed to aircraft in the terminal area by the ATC system. 
Category Ilia also defines wind condition [12] limits and the cor- 
responding touchdown parameter manifold denoting a "safe" landing 
[11, 12]; these are given in Tables Sand 4, respectively. In the 
interest of comparison, the Category II window defined at decision 
height 30m (100 feet) is also noted in Table 4. 

In order to establish that a given aircraft-autoland configura- 
tion meets the Category III requirements, in terms of landing safety, 
simulation studies are typically conducted to demonstrate that the 
touchdown manifold in Table 3 is not violated in a statistical sense 
[15] . Details pertaining to the requirements of these studies are 
presented in the next chapter and Appendix A. 

To illustrate the frequency of Category II and Category III 
weather conditions for certain airport locations, a typical summary 
of reported weather conditions by landing category is given in 
Table 5 [14]. Based on his route structure, the airline operator 
can translate the performance improvement due to the incorporation 
of an ILM to reduce landing minima into increased revenues. This 
assumes that the ILM is highly reliable and that its use requires 
a minimum of maintenance and ground personnel training. 
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TABLE 3. -CATEGORY III WIND CONDITION CONSTRAINTS 


Qil.WTITV 

MACMTUDl: j 

Headwind 

<25 kts 


Tailwind 

<10 kts 


Croswind 

<15 kts 


Turbulence (shear) 

8 kts/30.5m from 61m (200 feet) down 


to touchdown (TD) 


Turbulence (gust) 

U V w 


Standard Deviations, kts (lo) 

.15 .IS i.S 


Time Constant, Sec (V is airspeed in Kts) 

600/V 600/V 30/V 



TABLE 4. -CATEGORY III AND CATEGORY II PARAMETER MANIFOLD (la) 


QUANTITY 

CATIKUIRY [ I I 
TOUCHDOWN MANI FOLDS 

C ATI; GORY II WINDOW 

Longi tudi nal /Vert i cal 

+ 76.3m (2S0 feet)/ - - - 

- - - /+ 5.66m (12 feet) 

Lateral 

+ 3.05m (10 feet) 

+ 22m (72 feet) 

Sink Rate 

O.Glm/s (2 fcct/s) 

- - - 

Lateral Speed/Forward Speed 

+ 1.22m/s (4 feet/s)/ + 2kts 

---/_+ 5kts 

Crab Angle 

+ 2** 

- - - 

Worst Case Longitudinal 

1 

1 

61.0m (200 feet) from 
threshold 

< TD < 761n (2500 feet) 
from threshold 


Worst Case Lateral 

More than 1.52m (5 feet) 
from edge for 46m 
(150 feet) wide runway 

_ - _ 








TABLE 5. 


SUMMARY OF REPORTED WEATHER BY LANDING 
CATEGORY IN HOURS PER MONTH [14] 



October 1970 | 

November 1970 


Cat, 11 

Cat. Ill 

Cat, II 

Cat. Ill 

At 1 ant a 

9 

2 

1 

5 

Hi rmingham 

0 

10 

! 1 

0 

Boston 

6 

13 

0 

0 

Charlotte 

0 

0 

0 

3 

Chicago O’Hare 

3 

5 

0 

! 0 

Clove 1 and 

1 

2 

3 

0 

Dal las Love 

5 

0 

0 

0 

Detroit Metropolitan 

3 

16 

0 

0 

Houston 

6 

9 

4 

3 

Ja cksonvi 1 1 e 

0 

0 

6 


Los Angeles 

0 

0 

2 

10 

New Orleans 

1 

5 

0 

0 

New York Kennedy 

2 

2 

0 


Newark 

0 

0 

0 

0 

Philadelphia 

0 ! 

0 

0 


Pi t tsbur gh 

2 

6 

6 

16 

Port 1 and 

11 

15 

10 

5 

St, Louis 

4 

0 

0 

2 

Seattle 

5 

25 

2 

2 

Tampa 

0 

0 

0 

6 

Washington National 

0 ' 

0 

1 

1 


Time in liours is shown under Category II when the RVR 
is reported less than 732m (2400 feet) and equal to or 
greater than 36bm (1200 feet) . Time in hours is shown 
under Category III when the RVR is reported less than 


366m. Data obtained from Eastern Airlines. 












Crew Procedures 


As the aircraft proceeds automatically along the flight path 
depicted in Figures 3 and 4, the crew must monitor the operation of 
the autoland system. The set of discrete autoland actions that the 
crew must monitor is shown in Figure 5- The typical time sequence 
of flap, throttle, landing gear, decrab, flare and brake/spoiler 
deployment is presented in this figure. Simultaneously, the crew 
must also monitor whether the current state of the aircraft is 
acceptable. Typically, the crew is interested in flight path angle, 
vertical velocity, pitch attitude, slant range and range rate, velo- 
city vector and cross track error and error rate. These have been 
graphically depicted in Figures 6a and 6b, respectively. 

The onboard monitor and display subsystem of the typical auto- 
land [16] normally provides the crew with status (autoland mode) and 
command (flight director mode) information. Additionally, the 
pilot and crew receive vestibular motion cues, possible out-of-window 
visual cues, and oral cues from the ATC system (Figure 2). Thus, 
based on information derived from many different sources, the pilot 
is required to make a judgement regarding the proper functioning 
of the elements of the primary autoland system. Clearly, this is 
a complex task which taxes the pilot *s decision making capability 
even under clear visibility conditions. Under low visibility 
conditions (when the out-of-window visual cues are deficient, mis- 
leading, or totally lacking) when an upset occurs, the pilot simply 
cannot cope with the decision making and monitoring tasks. Here, he 
must be looking at all the cockpit instrumentation and deciding 
whether (a) the autoland was malfunctioning, (b) the external environ- 
ment (e.g., wind gust) was unacceptable, or (c) the MLS signal was 
not within the specified category tolerances. 

One potentially attractive approach to alleviating this informa- 
tion deficiency is to incorporate a system, operating independently 
from the primary guidance system, which would allow the pilot and 
crew to assess the performance of the autoland system, MLS, and 
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Wheel Height" to Touchdown (m AGL) 


Automatic/Manual 
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Brakes/Spoilers 
Touchdown 
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Alert Height 
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Landing Gear 
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Approach Flaps 




Typical 
Aircraft 
Coordinates 
for Final 
Approach 


Normal Crew 
Monitoring 
Actions for 
Landing 
Decision 


FIGURE 5. -AUTOMATIC LANDING SEQUENCE 





external environment in terms o£ the aircraft's situation relative 
to the runway, under low visibility conditions. Such an independent 
landing monitor (ILM) system has been schematically presented by 
the shaded blocks in Figure 2. In addition to monitoring the current 
status of the aircraft, the ILM can have the capability of provid- 
ing guidance commands to allow the pilot to execute a go-around, or 
to continue the landing sequence provided that the required levels 
of safety are maintained. 


Autoland System Considerations 

The modern commercial aircraft under automatic control is an 
extremely complex system. To gain an appreciation of the complexity 
of such a system depicted at the center of Figure 2, the blocks rep- 
resenting the autoland system are redrawn in greater detail in Fig- 
ure 7. The autoland .system is a network of sensors/transducers, 
real time computational algorithms, control systems and actuators 
driving the aerodynamic surfaces. A partial list of the associated 
autoland sensors and transducers is given in Table 6. 

The failure of one or more of these elements of the total avi- 
onics/autoland system, during the approach and landing phase of flight 
can result in a hazardous condition leading to a catastrophic out- 
come. Thus, to enhance the reliability of such a system, the entire 
system is generally duplicated and interconnected. A representative 
configuration, namely, triple modular redundancy (TMR) , is depicted 
in Figure 8. This increased reliability is obtained at the expense 
of increased initial capital expenditure and recurring maintenance 
cost. Depending on the level of redundancy (e.g., dual, quadruple) 
and the redundancy management technique [17] (e.g., voting, hardware- 
aided software, etc.) the resulting avionics systems can continue 
to operate in spite of the total failure of one or more computers. 
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Motor 
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Pilot Controls 
Air Data 
Navigation 

Flight Control /Stabi 1 izer 
Aerodynamic Surfaces 
Engine 


i 

Computer Interfaces 
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Flight Contro 1 /Stabi 1 izer 
Auto Throttle 
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Map Display 
Status Monitors 
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Figure 7. -AUTOLAND AIRBORNE HARDWARE BLOCK DIAGRAM (INCLUDING ILM) 
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TABLE 6.- AUTOLAND SENSORS/ TRANSDUCERS (PARTIAL LIST) 


GENERAL CATEGORY 

TYPES 

Pilot Controls (Automatic) 

Mode select panel, keyboard 
go -a round switch, cut-out 
switch (computer) 

Pilot Control (Manual) 

Contro} wheel force (pitch/ 
ro21), trim switch 

Air Data Transducers 

Dynamic pressure, static 
pressure, air temperature, 
baro altimeter 

Navigation Sensors 

V}IF Nav. receiver/controller/ 
antenna, Tacan recoiver/con - 
troller/antenna , radar alti- 
meter, MLS rec.eiver/control- 
ler/antenna, INS, ILS 

Flight Control Stabilization 
Sensors 

Vertical gyros, directional 
gyro, rate gyros, accelero- 
meters, sideslip, angle-of- 
attack 

Aerodynamic Surface Position 
Transducers 

Elevator, aileron, rudder, 
flap, trim tab (elet^ator, 
aileron, rudder), spoilers 

Engine Transducers 

Throttle position, rpm, pro- 
peller pitch, oil pressure/ 
temperature, exhaust gas 
temperature/pressure 


A "fail-operative" autoland system is a multiply redundant 
system that can detect a fault in any one of the redundant channels, 
automatically disconnect that channel, and continue to function 
properly. A "fail-passive" autoland system is a system with ade- 
quate redundancy to detect a fault in any one of the redundant 
channels and automatically disconnect the total system, leaving the 
aircraft in a safe condition for manual takeover. Typically, the 
autoland system must be fail operative to be certified for Category 
III operation. A fail-passive system is generally required for 
Category II certification. The type of system used governs the 
applications which are appropriate for consideration in conjunction 
with the autoland system. 
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FIGURE 8. -TRIPLE MODULAR REDUNDANCY CONFIGURATION 


In designing autoland systems, built in monitors are added to 
detect the occurrence o£ component failures. Enough monitoring 
capability is added so that fixed levels of reliability (associa- 
ted with the desired certification level) are achieved. 

The methodology for deciding which failures are operationally 
significant, and the design of appropriate hardware monitors to 
detect these failures and take appropriate action is a complex, 
time-consuming, iterative design process referred to as Failure 
Mode and Effects Analysis (FMEA) [18] . This analysis consists of 
analyzing the signal characteristics at different points in each 
autoland subsystem to determine if the possible faults occurring in 
that subsystem can be detected fast enough to ensure that the air- 
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craft cannot be upset to an unsafe attitude. The monitors are 
placed at the highest subsystem levels consistent with the relia- 
bility and fault detection speed desired. Hardware monitors pro- 
vide signals indicating that failures have occurred, and they dis- 
connect the failed subsystem. 

The potential benefit of introducing an ILM system is to re- 
duce the level of redundancy required and the degree of hardware 
monitoring. Normal system monitoring can be supplemented with ILM 
derived information to assess the functioning of the autoland 
system. 


Midrowave Landing System Considerations 

The United States and other countries are developing a new 
scanning beam Microwave Landing System (MLS) , under the auspices 
of ICAO, to provide increased flexibility in precision landing [19]. 
The MLS will permit, through volumetric position information, ad- 
vanced terminal approach paths such as two- segmented noise -abate- 
ment approaches, and curved; decelerating flight paths. However, 
because of the complexity of these landing techniques, the pilot 
and crew’s ability to monitor the approach progress and projected 
touchdown state will be more difficult than for the straight, flat, 
constant configuration and speed operations used with present-day 
Instrument Landing Systems (ILS) . 


The degree of trust which can be placed in the correctness of 
the information supplied by the MLS facility [21] is referred to 
as its integrity. The integrity requirement for MLS is as follows: 
When the system (ground/airborne) is operating in a "full up" Cat- 
egory III status, with no "abnormal" operating indications, the 
probability of both lateral and/or vertical guidance elements 
failing during the next 10 seconds (which can result in the radia- 
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tion of a potentially hazardous guidance signal, or the loss of 

_ 7 

signal) will be less than 10 

Degradation of MLS data produces primarily "false course" or, 
more properly, "false position fixing" phenomena. Table 7 lists 
some of the major sources of MLS integrity degradation and correl- 
ates them to the type of integrity loss produced. The major envi- 
ronmental source of MLS integrity degradation is multipath effects. 
The major single approach to integrity assurance is again the use 
of hardware monitors. To mechanize a category III fail-operative 
ground system, a triplicate voting monitor system with fully redun- 
dant ground transmitters has been proposed. If the standby trans- 
mitter has been degraded beyond an acceptable course alignment 
tolerance, after it is on the air, an immediate shutdown will take 
place. During the time the standby transmitter is on the air, the 
facility category status will be downgraded and displayed to pilots 
and ATC. This will signal a suspension of Category III operations. 

A foremost requirement for an all-weather landing system (such 
as the MLS) is the availability of complete fail-safe airborne 
integrity monitoring of the ground signal during the approach- In 
addition to alerting the pilot, it has been proposed that the flight 
control system be disconnected automatically in the case of the 
detected MLS equipment malfunctions. To achieve these requirements, 
dual processor integrity monitoring on each of the dual active 
airborne channels, along with an integral manual self test feature, 
has been recommended . 


The. level of redundancy built into the airborne and ground 
based portions of the Category III MLS, ensures low probability of 
failure, as stated earlier. Moreover, the hardware monitors built 
into the system "informs the crew of malfunction within one second of 
occurrence. In the case of Category II MLS, the number of monitors 
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TABLE 7. - SOURCES OF MLS FAILURES AND THEIR SOLUTIONS [5] 


• 

1 RESULTING 

PROBLEM 1 


1 SOLUTION 1 



Bad 


Bad 

Auxiliary 

PROBLEM SOURCE 

Angle 

Angle 

Degradation in MLS Ground Elements 



Angle encoding error 

FM,IM,RD 


Other coding malfunction 


IM,RD 

Sidelobe transmissions 

SLS 

- 

Degradation 'By Environmental/ 
External Influences 



Various multipath problems 
(terrain, obstacles, air- 
craft, etc.) 

BC,AP 

BF 

Degradation by Spurious Signals 



Inter St at ion interference 

AP 

AP 

Other RF sources 

AP,BF 

AP,BF 

Degradation in MLS Airborne Elements 



Receiver malfunction 

PM,RD,BT 

PM,RD,BT 


Solution Keys : 

BF - Baseband format 
RD = Redundancy 
FM = Field monitoring 
' IM = Integral monitoring 
BT = Built-in test 


AP = Airborne processing 
BC = Beam control (for 

multipath minimization) 
SLS = Sidelobe suppression 
SF = Scan format 
PM = Airborne performance 
monitoring 
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and the redundancy level is reduced, so that the failure probability 
increases. The incorporation of an ILM into an airborne system can 
potentially allow Category III operation with a Category II MLS. 


ILM Application Areas 

An ILM serving as a monitor ing/warning aid must be able to de- 
tect and discriminate between (a) navigation degradation/failure, 

(b) autoland degradation/failure, (c) pilot blunder (e.g., miss set 
ILS or runway heading), (d) "out-of-design envelope" wind condi- 
tions, and (e) system failure of the ILM itself. As a guidance 
aid, the ILM must provide post-failure information to allow execu- 
ting a manual takeover for go-around or landing, under low visibil- 
ity conditions. From an economic standpoint, it must be ensured 
that adding an ILM to an already complex aircraft does not increase 
maintenance costs without a significant increase in overall sys- 
tem safety and all-weather performance. These requirements must 
be interpreted in terms of the application areas shown in Table 8. 

On existing aircraft with single-channel autopilots, the ILM 
could reduce decision height and generate go-around commands on 
detecting an anomolous condition. On aircraft equipped with dual- 
channel autoland systems, an ILM of adequate integrity could be 
used to. initiate a manual takeover to execute a landing or go- 
around depending on the nature of the fault and height of fault 
occurrence. It is noted that a perspective runway display is un- 
necessary as part of the ILM if its principal function is a fault 
monitor and/or go-around prompter. 


On the other hand, if the objective is visibility enhance- 
ment or guidance to touchdown, then runway display becomes essen- 
tial. Table 9 presents the ILM system functions, operational im- 
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TABLE 8.- APPLICATIONS OF INDEPENDENT LANDING MONITOR 


FUNCTION 

FLIGHT PHASE 

OPERATIONAL PERFORMANCE 

Gross Fault Monitor 

Approach 

Detect RNAV/MLS fault or pilot 
Blunder. Command Manual Go- 
Around or landing. 

Gross Fault Monitor 

Landing 

Detect MLS/Autcland fault. Com- 
mand manual go-around or landing 
from lower decision height. 

Visibility Enhancement 

Landing 

Detect high ground or runway obs- 
truction. Command go-around. 

Fault Monitor /Manual 
Guidance 

1 Landing 

Provide manual guidance for go- 
around or landing as backup to 
autoland system. 

Lateral Guidance 

Rollout/Tai<eof f 

Keep aircraft centered. Detect 
turnoff. 

Longitudinal Guidance 

1 Rollout/Takeoff 

Monitor aircraft performance. 
Command rollout/takeoff abort 
and initiate emergency proced- 
ures 


plications and associated information and display requirements, 
assuming a runway display is present. Proceeding from the top 
entry of the table to the bottom, the system requirements become 
increasingly sophisticated. 


In any case, the key requirement for using an ILM is as fol- 
lows: The system with the ILM must be demonstrated (and hence 

certifiable) to be as safe or safer than the system without an 
ILM under low visibility conditions. The methodology for estab- 
lishing this requirement is the subject of the next chapter. 
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TABLE 9.-ILM SYSTEM FUNCTIONS AND IMPLICATIONS (ASSUMING RUNWAY DISPLAY 
CAPABILITY 




INFORMATION AND DISPLAY HARDWARE REQUIREMENTS ] 

FUNCTIONAL REQUIREMENTS 

OPERATIONAL IMPLICATIONS 

SENSOR 

PROCESSOR 

1 DISPLAY 

Gross Fault Monitor 

•Increased Category j 

III a Service 

•Minimal Resolut ion 

• DccUittering 

•Perspective Distance CRT 

Confidence Builder 

•Reduced Orientation 
Time In IFR Situations 



•Down/Up 

Visibility Enhancement 

•Reduce Decision Height 
And Unnecessary Go-Around 

•Increase Field 
of View (FOV) 

•Same As Above 

•Head up 

High Ground and Runway 
Obstruction Detector 

•Avoid Ground Col- 
lisions 

•Increased Resolu- 
tion. FOV, and 
Scan Rate 

•Faster Proces- 
sor 

•Same As Above 

Lateral Rollout/Take- 
off Guidance 

•Safety Increase 

•Increase Resolu- 
tion, and Scan 
Rate 

•Same As Above 

•Same As Above 

Longitudinal Rollout/ 
Takeoff Guidance 

•Safety Increase 
(Category Illb 

•Reduce Interfer- 
ence 

•Add i t ional Sen - 
sors Required 
(e.g., DMK) 

•Distance Compu- 
tation 

•Distance Display (Analog) 

Manual Backup Guid- 
ance for Fail Passive 
Autoland 

Fault Monitor Backup 

•Upgrade Fail Pas- 
sive Autoland Cat- 
egory Il/IIIa 

•Reduce Decision 
Height and Unnec- 
‘ essary Go-Arounds 

•Higii Resolution, 
Scan Rate, and 
FOV 

•Additional Sen- 
sors Required 
(e.g., Attitude 
Gyros, Altimeter) 

•Distance 
•Alignment 
•Crab Angle 
•Flight Path Angle 
•Attitude Stability 

•Ground Roll/Take- 
off Distance • 

•Synthetic Display 
•Symbol Generator 




ILM Application Studied Under This Effort 

As has been shown, there are many interrelated subsystems 
which affect the operation of the ILM. Because of the limited 
effort possible in this study, it was decided to concentrate on 
the automatic portion of the ILM system's potential. Referring 
to Table 9, it can be deduced that the ILM applications associated 
with having runway display capability (confidence builder, visi- 
bility enhancement, high ground and runway obstruction detector) 
can only be analyzed by cockpit simulator or flight test capability. 
For such studies, an ILM mockup or prototype would be necessary. 
Thus, these applications were only considered in terms of what gen- 
eral display requirements would be necessary. 

Referring to Table 8, it was felt that the greater economic 
potential from the ILM can be realized during the landing phase. It 
is also in this phase that the ILM has the most critical effect on 
systems safety. Furthermore, if a methodology could be developed 
for determining information and display requirements for the land- 
ing phase, it would be straight forward to extend this methodology 
to analyze the approach and ground phases of flight. 

Thus, the applications considered in detail were the auto- 
matic functions of the ILM during the landing phase of flight. 

These included fault monitpring/detection and manual guidance in 
the presence of a fault. 

The ILM applications had to consider the nature of the auto- 
land equipment on board. Because a fail-operative system (required 
for Category III operations) is supposed to be essentially fail- 
safe, the ILM fault detection and guidance applications are more 
suited to aircraft with fail-passive or less sophisticated systems. 

A key question then was as follows; How much lower can the visi- 
bility ceiling be set when an ILM is being used, if the same level 
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of safety is to be maintained as is present with the higher ceiling 
and no ILM? The approach presented in the following chapters 
directly addresses this question. 

To answer this question required assessing the time- to-detect 
and correct a fault by use of an ILM and manual control. Total 
fault recovery time was used to define an altitude, namely, "criti- 
cal altitude" below which no fault was recoverable within the de- 
sired levels of safety, for a go-around decision. Similarly, an 
altitude was determined below which no fault was safely recoverable 
for a landing decision; this altitude was labeled "decision alti- 
tude." Thus, decision altitude and critical altitude define 
switchover points in the decision strategy associated with monitor- 
ing and detecting a fault. The exact values of these altitudes 
thus play key roles in assessing the economic value of using an 
ILM for lowering landing minimum for less sophisticated autoland 
capability. 




III. SYSTEM SAFETY ANALYSIS 

This chapter addresses a number of basic issues concerning 
use of the ILM that are affected by safety requirements. These . 
are: (1) On what basis can existence and use of an ILM be justi- 

fied? (2) How is the strategy associated with use of the ILM sys- 
tem affected? (3) On what basis will possible conflicting sys- 
tem failure indications of the autoland fault monitors be recon- 
ciled with those of the ILM? (4) What are the technical require- 
ment's (false alarm rate, missed fault rate) of the ILM fault 
detection equipment? and (5) What are the fault detection timing 
requirements? 

The underlying means of addressing these pertinent questions 
is to analyze the contribution of subsystem reliability to overall 
system safety. In the process of answering these questions, an 
ILM system design methodology evolved, and it is presented in 
further detail in this chapter. 

This chapter begins with an overview of safety and performance 
analysis which also includes aspects pertinent to certification. 
Then, ILM decision strategies and pilot takeover criteria are dis- 
cussed. Numerical results are used to illustrate the interrelation- 
ship between safety and reliability. Then answers to the above 
questions are numerically illustrated. The mathematical details 
of the safety analysis are presented in Appendix B. 


Safety Analysis Overview 

The overall des.ign of advanced avionics/autoland systems 
(including an ILM for use in low visibility conditions [7, 9, 10 
15]) requires consideration of two criteria--system performance 
and system safety. System performance is measured in terms of 
the statistical dispersion of the aircraft around the nominal 
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state at touchdown (touchdown manifold) . This is evaluated by con- 
sidering the effects of variations within the normal equipment 
design tolerances (i.e., the effects of equipment faults are not 
considered) and normal external environment factors (i.e., tur- 
bulence, steady winds) on the touchdown dispersion manifold. 

System safety assessment entails a more global consideration 
of the entire terminal area flight envelope. The effect of all 
faults and fault sequences within the system must be examined on 
a probabilistic basis to determine the total probability of exceed- 
ing specified flight path safety limits. 

For the ILM, both system performance (touchdown manifold) 
and system safety (entire flight path envelope) must be assessed 
in terms of individual causes (e.g., design tolerances, turbulence, 
MLS beam bends, avionics faults and fault sequences, etc.) con- 
tributing to the overall probability of a catastrophic accident. 

This performance and safety analysis process is depicted in flow 
chart form in Figure 9. In this figure, fault-free performance 
is a measure of how often there is a catastrophic accident during 
landing even though the autoland system and associated equipment 
operate within normal tolerances. This probability is designated 
by (The nomenclature is explained later.) 

The "nuisance disconnect" (or false alarm") is a situation 
where, even though the primary autoland system is performing per- 
fectly, the automatic system is disconnected because of some signal 
combination anomaly or hardware monitor failure. Then, manual 
takeover is required- Nuisance disconnect performance refers to 
the rate at which ensuing catastrophic accidents occur because of 
these false alarms. Here, the probabilities are designated by 
Pndpi ^ndpg indicate that either a manual landing or a 

go- around was attempted when the accident occurs. 
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FIGURE 9. -FLOW CHART OF PROCESS REQUIRED FOR EVALUATION OF 
ILM SYSTEM SAFETY AND PERFORI>L\MCE 


A "system failure” may or may not be detected by the ILM or 
the primary system monitors. The rate of undetected failures that 
causes accidents is designated The rates of detected fail- 

ures followed by manual takeover that result in catastrophic acci- 
dents in landing or go-around are designated by ^fdpg’ 

respectively. 


To determine the ILM system’s reliability requirements, each 
of these measures of performance must be known for the autoland 
system operating without the ILM. These probabilities are then 
combined and evaluated by using the overall safety requirement. 

The result is the determination of reliability requirements of the 
ILM system. Details of evaluating the fault free, nuisance discon- 
nect, and system failure performance (together with the associated 
probability definitions) are discussed later in this chapter. 
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System Performance Evaluation 


As noted above, system performance is evaluated in terms of the 
touchdown dispersion envelope. The process of evaluating this 
performance typically consists of setting up a detailed computer 
simulation of the aircraft, avionics/autoland , landing aids, and 
the external environment [9] . Then, by performing an extensive Monte 
Carlo analysis, the fault free performance of the entire autoland 
system is evaluated in terms of the probability of catastrophic 
accident (aircraft state exceeds safety constraints) . 

Some of the terminal area parameters which must be incorpor- 
ated into such a simulation are presented in the previous chapter. 
The external environment simulation model would include the wind 
conditions, such as those defined in Table 3. An example of the 
acceptable touchdown parameter manifold that would be used in 
testing is presented in Table 4. 

If the overall system safety requirement is specified as an 
acceptably small rate of catastrophic accidents per number of land- 
ing attempts, then the fault-free performance measure must be a 
smaller subset of this overall rate. For example, the current 
overall safety criterion for certification of a Category III auto- 
land system is that the catastrophic accident probability rate be 

_ 7 

less than 10 . The contribution of the fault free autoland system 

- 8 

to this number is specified to be no greater than 10 . For a five 
dimensional terminal state manifold, this corresponds to the rate 
at which the seven sigma values computed from Table 4 are exceeded. 
(See Appendix B) . 

Performance failure during go-around (i.e., probability of 
a catastrophic accident while executing a go-around) must be evalu- 
ated by computer simulation in a manner similar to the landing 
evaluation. Clearly defined criteria similar to Table 4 are not 
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available; this can be attributed to the fact that performance 
failures in go-around are highly aircraft dependent. In general, 
performance failures result from exceeding certain aerodynamic 
constraints (e.g., angle-of-attack, sideslip) or violation of 
obstacle clearance boundaries. 


System Safety Evaluation 

The overall system safety assessment can be performed by 
defining an event outcome tree. Then, the probability of occur- 
rence of each outcome leading to a catastrophy is determined by 
analysis and simulation. Some of the results may be validated by 
flight test. Finally, total system probability of catastrophic 
failure is determined by summing these probabilities, as defined 
by the outcome tree. 

The failure rates are dependent upon the strategies that a 
pilot may take in case of a detected fault. In the following, two 
possible pilot strategies are first defined; then an event outcome 
tree is presented for one of these strategies. Subsequently, the 
incorporation of the ILM's reliability measures into this probabil- 
ity tree is discussed. The associated problem of resolving a pos- 
sible conflict between the autoland and ILM monitor signals is 
then treated. 


Pilot decision strategies . - Two distinct pilot decision 
strategies are feasible following the detection of an autoland 
system fault during the landing sequence. These are depicted in 
Figures 10 and 11. Consider an airborne system equipped with auto- 
land capability but no ILM. Suppose that the autoland is engaged at 
height hg; then, the first decision strategy, designated A, consists 
of executing a go-around if the autoland monitors detect a fault 
between altitude hg and h* . An emergency landing is executed if 
the fault is detected between h* and touchdown (TD) . The value of 
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4 Total Exposure Timp 


Pilot ' 

Decision 

Emergency Land 

6o-Around 


FIGURE 10. - POST FAULT DETECTION PILOT DECISION 
STRATEGY (A) 



Pilot 

Decision 

Emergency Land 

Go-Around 

Manual Land 


FIGURE 11. - POST FAULT DETECTION PILOT DECISION 
STRATEGY (B) 
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h* is determined statistically as the height above which it is safer 
to attempt a go-around in case of a fault. Below this altitude it 
is safer to attempt a manual landing. As shown in Figure 10, the 
nominal flight duration between these altitudes is t 2 and t^, re- 
spectively. 


The other possible strategy, shown in Figure 11, is to execute: 
(a) an emergency landing if the fault is detected between hj^* and 
TD, (b) go-around if the altitude of fault detection lies between 
hj^* and h 2 *> and (c) execute a manual landing if the fault is 
detected between h^ and h 2 *. In this second strategy, hj^* is 
chosen in the same manner as h* in Strategy A. The higher altitude 
h 2 * is chosen based on the assumption that above this altitude, 
there is adequate time to recover manually so that the landing 
sequence can safely be continued. Recovery consists of nulling 
out the state error caused by the fault and manually tracking the 
nominal approach flight path. It is noted that manual recovery 
for landing in Strategy B may be realistic only if visual contact 
can be established with the runway prior to h 2 *. In other words, 
the visibility ceiling would not be below a minimum of h 2 *. Al- 
ternatively, the ILM equipment must have the capability of provid- 
ing manual guidance to touchdown. 

Event outcome tree .- To illustrate the methodology of evalu- 
ating the total system probability of catastrophic accident, 
the outcome tree is now considered for an autoland with Strategy 
A depicted in Figure 12. The probability terms used in this figure 
are defined in Table 10. A detailed exposition of these probabili- 
ties is presented in Appendix B. These probability terms are 
essentially integrals of the associated probability density func- 
tions which must be determined in general by simulation methods. 

The hypothesized forms of the go-around and autoland catastrophe 
probability density functions are illustrated in Figures 13 and 
14, respectively. 

The branches of the tree in Figure 12 terminate with either 
landing or go-around failure probabilities. A landing failure can 
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FIGURE 12. -EVENT OUTCOME TREE FOR MONITOR OPERATION DURING 
AUTOMATIC LANDING USING STRATEGY A. 






FIGURE 13. - PILOT RECOVERY CATASTROPHE PROBABILITY 
DENSITY FUNCTION 



FIGURE 14. - AUTOLAND CATASTROPHE PROBABILITY DENSITY 
FUNCTION 


TABLE 10 . - OUTCOME TREE CATASTROPHE PROBABILITIES 


QUANTITY 

EQUIPMENT 

FAILURE 

MONITOR 

DETECTION 

RESULTING 

PILOT 

OBJECTIVE 

COMMENTS 

Pa 




Total System Probability of 
Catastrophe Accident 

PfiF 

Yes 

-- 

-- 

Probability of Equipment Failure 

PmAE 

Yes 

No 

-- 

Probability of Missed Alarm Fol- 
lowing Equipment Failure 

p 

D 

Yes 

Yes 

-- 

Probability of Detected Fault 

p 

*^FAE 

No 

Yes 


Probability of False Alarm 
Caused By Primary Equipment 
Monitors 

p 

nual 

No 

No 

Land 

Fault Free Performance Measure 

^fual 

Yes 

No 

1 

Land 

Missed Alarm 

Pfdpg 

Yes 

Yes 

Go -Around 

Prior to detection 

^fdpl 

Yes 

Yes 

Land 

After h* ( ' ^^'^MAE^ 

^ndpg 

No 

Yes 

Go -Around 

Prior to h* \ nuisance 

/ disconnect 
> false alarm 

^ndpl 

No 

Yes 

Land 

After h* | ^FAE 


^(£/n) (d/u) Cp/a) Cg/l) ■ probability of catastrophe 
Notation: 


£ - fault P - pilot 

n - no fault a - automatic 

d - detected g - go-around 

u - undetected 1 - land 

h* - minimum descent 
altitude 


occur due to a number of conditions which can be partitioned into 
the lateral and longitudinal failure effects. Lateral effects in- 
clude such events as running off the side of the runway, excessive 
crab, and wing tip/pod/tail scrape. Longitudinal effects include 
overrunning the runway and hard/soft landing. Similarly, lateral 
go-around failure effects include violation of obstacle clearance 
and excessive roll angles and rates. Longitudinal go-around fail- 


48 



ures include such events as stall and unacceptable obstacle clear- 
ance. 


On the basis of Figures 10 and 12, the total system probabil- 
ity of catastrophic accident, P^, .can be expressed as 


■ ^EF^^MAE ^fual * ^^’^MAE^ *^“l^fdpl “Z^fdpg^ 

^^■^’EF^^^nual ^FAE ^“l^’ndpl “Z^ndpg^ 
Here, the exposure factors and 02 are given by, 

^1 

“1 ■ Trprrp' 


( 1 ) 


( 2 ) 


“2 (T, + T,I 


(3) 


Basically, the exposure factor represents the portion of the total 
flight period during which the system is "exposed" to the conse- 
quences of a particular pilot decision. 

Effect of an ILM on pilot takeover . - The incorporation of an 
ILM with its own monitors .into an autoland system, brings up a 
significant operational problem. The source of the problem is the 
potential disagreement between the ILM and primary system monitor 
alarms. Table 11 lists the four takeover initiation options that 
could be used to resolve this situation. Clearly in an operation- 
al environment, one of these must be selected as being more 
appropriate. The logical way to resolve this conflict is to deter- 
mine which of these four options leads to the highest level of 
system safety or lowest level of catastrophic accident probability, 
P^. For a given autoland system, after having selected one of 
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TABLE 11.- POST-FAULT DETECTION PILOT TAKEOVER CRITERION 

OPTIONS 


OPTION 

TAKEOVER INITIATION CRITERION 

1 

Consider Primary Monitors Only (i.e., 
no ILM) 

2 

Use Hither ILM or Primary Monitors 

3 

Use ILM On 3 y fi.e., Ignore Primary 
Monitors ) 

4 

Use ILM ^id Primary Monitors (i.e., 
1 Act Only fT Both Detect Fault) 


these options as the best, the pilot/crew would be trained to 
follow always that particular takeover criterion. 

The combination of the two decision strategies presented in 
Figures 10 and 11 and the four takeover options listed in Table 11 
result in eight design alternatives and eight associated accident 
probability equations for P^. The generic form of the system 
safety equation is: 

?A = U-PEp}{P„^^l + w-x} +PEp{Pfual y + C4) 

The parameters w, x, y and z for each of the eight combinations are 
expanded in terms of probability measures in Table 12. Detailed 
definitions of the probability measures are presented in Table 
13. The equation pertaining to a specific strategy decision and 
initiation criterion is constructed by inserting the corresponding 
tabulated terms representing the false alarm rate, missed alarm rate, 
strategy, and initiation criterion. These equations form the ba- 
sis for addressing the questions raised at the beginning of the 
chapter. The basic objective is to select the alternative that 
leads to the lowest probability of catastrophic accident P^. 
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TABLE 12. -ACCIDENT PROBABILITY P. AS A FUNCTION OF DECISION STRATEGY AND INITIATION OPTION 
OPTION 


Pa = { i'^EF^ ^ ^nual ^ * ^EF ^ ^£ual ' V ^ ' zJ 


DECISION 

STRATEGY 

INITIATION 

CRITERION 

w 

(FALSE ALARM) 

X 

(STRATEGY) 

y 

(MISSED ALARM) 

z 

(CRITERION) 

COMMENTS 

A 

1 

^FAE 

P = 

^SAE 

“l^ELE “2^GAE 

^MAE 

^^'^MAE^ 


A 

2 

P +. P 

^FAE ^FAI 

P = 

^SAI 

“i^’eLI “2^GAI 

P • P 

^MAE *^MAS 

^^■^MAE^^MAI * 
“^^■^MAS^^MAE * 

fl-^MAS^fl-W 

= 1-P • P 

^ ^NIAE *^MAS 

• A Necessary Condition To 
Justify An ILM Is 

^ELI ^ELE 
^GAI ^GAE 
’^ILM ’^’mAI 

A 

3 

^FAI 

^SAI 

^MAS 

^ILM * ^MAI 

^^‘^MAS^ 

A 

1 

4 

i 

1 

^FAI ■ ^FAE 

1 

^SAI 

^MAS’^^'^MAE^ 

^MAE^^'^MAS^ 

^^■^MAS^ ^^‘^MAE^ 

B 

1 

^FAE 

^SBE ° “l^ELE 
* “2^GAE 
“S^MLE 

^MAE 

*^^'^MAE^ 

Visibility P^LE 

CAVU 10*6 

CAT 1 10*3 

CAT' II 10-3 

CAT I 1 (unacceptable) 

B 

j 

2 

^FAE ^FAI 

^SBI ° “l^ELI 
* “2^GAI 
“3^MLI 

^MAE * ^MAS 

1 

*^^‘’^MAE * ^MAS^ 

• A Necessary Condition To 
Justify This Strategy Is 

P << P 

^MLI niLE 

and 

^MLI ^GAI 

B 

3 

^FAI 

^SBI 

^MAS 

f'-^MAS^ 

B 

4 

P • P 

^FAI ^ FAE 

^SBI 

1 

^MAS^^'^MAE^ 

* ^M.\E^^‘^MAS^ j 

^^■^MAS^ *-^'^MAE^ 

1 



TABLE 15. -DEFINITION OF TERMS APPEARING IN TABLE 12 


QUANTITY 


FAE 


FA I 


SAE 


SAI 


ELE 


GAE 


ELI 


GAI 


SBE 


SBI 


MLE 


MLI 


^MAE 

^MAI 

p 

^ILM 

^MAS 


DEFINITION 


Probability 0£ False Alarm - Autoland/MLS/Other 
Equipment (Primary) Monitors 

Probability 0£ False Alarm - ILM 

Probability 0£ Catastrophe Using Strategy A With 
No ILM (Primary Monitors Only) 

Probability 0£ Catastrophe Using Strategy A With 
ILM 

Probability 0£ Emergency Landing Catastrophe With 
No ILM 

Probability 0£ Go-Around Catastrophe With No ILM 

Probability 0£ Emergency Landing Catastrophy 
With ILM 

Probability Of Go-Around Catastrophe With ILM 

Probability Of Catastrophe Using Strategy B With 
No ILM 

Probability Of Catastrophe Using Strategy B With 
ILM 


Probability Of Manual Landing Catastrophe With 
No ILM 

Probability Of Manual Landing Catastrophe With 
ILM 

Probability Of Missed Alarm - Primary Monitors 

Probability Of Missed Alarm - ILM (Inherent Rate) 

Probability Of Missed Alarm Due to ILM Failure 

Probability of Missed Alarm Of ILM; 

MAS ^MAI *^ILM 






Evaluation Of System Requirements 


With the formulation of the eight possible strategy combina- 
tions presented in Table 12, it is now possible to address the ques- 
tions posed at the beginning of this chapter. This is done by con- 
sidering the typical ranges of numerical values for the parameter 
which make up the equations of Table 12. Specific example values 
are selected for these parameters, and they are used to compute the 
resulting probability of catastrophic accident P^. Then, the stra- 
tegy which gives best results can be selected. Also, necessary 
equipment performance requirements can be ascertained. 

Consider the first question: On what basis can an ILM be justi- 

fied? The answer to this question has two parts - (a) the strate- 
gies which use the ILM information (Options 2, 3, and 4 in Table 
11) must provide better safety results than without the ILM (Option 
1) and (b) the improvement in safety or landing performance must be 
economically justified. Only the former condition is considered 
here . 


The answer to the second question - How is the strategy asso- 
ciated with use of the ILM affected? - can be partially answered by 
determining which strategy (A or B) discussed previously provides 
the better results. The answer to the third question - On what 
basis will possible conflicting system failure indications of the 
existing autoland monitors be reconciled with those of the ILM? - 
is based on which option of Table 11 using the ILM provides the 
better answer. The answer to the fourth question - What are the 
technical requirements of the ILM fault detection equipment? - 
is based on what are the upper limits to the ILM false alarm rate 
and missed alarm rate which will still provide an acceptable cata- 
strophic accident rate. 
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s. 

The answer to the fifth question- -What are the fault detection 
timing requirements?- -is not directly answered in this chapter. 

The strategies A and B use the altitude parameters h*, hj^*, and 
h 2 *. These altitude values are given assumed values in this sec- 
tion so that the eight combinations of Table 12 can be numerically 
evaluated. Later, the total recovery timing requirements are 
evaluated and the results are used to reset the values of h* or 
hj^* and h 2 *. The system designer can use these new values to re- 
compute the ILM equipment performance requirements based on the 
options presented in this chapter. In this way, the ILM system 
design is an iterative process. 


In the following, the nominal values of exposure factors re- 
sulting from the strategies A and B are first determined. Then, 
nominal values for autoland and other equipment failure probabili- 
ties and ILM failure probabilities are selected. These values are 
used to evaluate the probability of catastrophic accident, P^. The 
basic design rule is to determine numerical values of the unspeci- 
fied parameters to ensure that a specified level of safety is 
achieved. For numerical example, the FAA certification require- 
ment of P^ £ 10 catastrophic accidents per landing is used. 

All calculations assume that the total exposure period is 
250 seconds. During the start of this period, the aircraft is 
assumed to enter the landing area with the onboard autoland system 
and the ILM system in an armed state. The assumed nominal values 
for the exposure factors are summarized in Table 14. In general, 
these values are very much aircraft dependent; for example, the 
Boeing 737 can execute a go-around from 20 feet wheel height where- 
as a Boeing 747 cannot. 

Table 15 shows the results of computing typical values of 
probabilities of a catastrophe due to manual takeover (Ps;^£» PgAi » 
PgBE* ^SBI^ with Strategies A and B and with and without an 
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TABLE 14. -EXPOSURE FACTORS USED FOR NUMERICAL EXAMPLES 


PARAMfiTERS 

A 

B 

COMMENTS 

"^Igs 

5 

5 

Exposure Period For Emergency Landing Decision 

’'2gs 

245 

10 

Exposure Period For Go~Around Decision 

'^3gs 


225 

Exposure Period For Manual Landing Decision 

al 

.020 

.02 

Exposure Factor - Emergency Landing 

a2 

.98 

.08 

Exposure Factor - Go -Around 

a3 

- 

.9 

Exposure Factor - Manual Landing 


ILM. These results are for assumed values of the terms Pr.Ac. Pct c 

GAE ’ ELE , 

^MLE’ ^ELI’ ^GAI ’ ^MLI exposure factors given in Table 

14. To justify Strategy B using an ILM, it is required that the 
probability of catastrophe during manual landing using ILM guidance 
is less than that using autoland monitors alone; that is 


P < P 
^MLI - *^MLE 


C5) 


Moreover, the probability of catastrophe while executing a manual 
landing using an ILM should be less than or equal to that for execu 
ting a go-around using an ILM; this is 


^MLI - ^GAI 


( 6 ) 


Table 15 indicates that Strategy B is unacceptable under Category 
III conditions, without an ILM, due to the excessively large contri 
bution to accident catastrophe in attempting a blind landing with- 
out guidance aids; this is an intuitively obvious result. 
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TABLE 15 .-EFFECTIVE CATASTROPHIC PROBABILITIES FOR STRATEGY 
A AND B, WITH AND WITHOUT ILM FOLLOWING MANUAL 
TAKEOVER 


PROBABILITY 

VALUE 

SITUATION OF CATASTROPHE 

^GAE 

10-3 

Go-Around Using Primary Monitors 

*’ele 

0.9 

Emergency Landing Using Primary Monitors 

P 

*^MLE 

10‘^ 

Category I 

Manual Landing Using 
Primary Monitors 

10-3 

Category II 

1 

Category III 

*’eli 

10 '^ 

Emergency Landing Using ILM Monitors/ 
Guidance 

^GAI 

10 ~^ 

Go-Around Using ILM Monitors/Guidance 

**MLI 

10 "^ 

Manual Landing Using ILM Monitors/ 
Guidance 

^SAE 

2 X 10"3 

Strategy A, Using Primary Monitors 

^’SAI 

3 X 10"^ 

Strategy A, Using ILM Monitors/Guidance 

^SBE 

1.2 X 10"^ 

Category I 

Strategy B, Using 
Primary Monitors; 
Unacceptable for 
Category III Visibility 

1.7 X 10'^ 

Category II 

0.9 

Category III 

^SBl 

3 X 10"^ 

Strategy B, Using ILM Monitors/Guidance 


A necessary condition for justifying the incorporation of an 
ILM is that using the ILM decreases the probability of catastrophe 
for one of the strategies; that is either 


^SAI- ^SAE 


( 7 ) 


or 


^SBI - ^SBE 


( 8 ) 
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Finally, for the systems with ILM's, a necessary condition for 
choosing Strategy B over Strategy A is that the corresponding cata- 
strophe probability for the former be less than the latter; that is 


^SBI- ^SAI 


( 9 ) 


The evaluation and verification of conditions (4) - (8) is done by 
performing a covariance propagation analysis. The method is pre- 
sented in Chapter V and Appendix B. 


Now consider the probability of catastrophic accident as a func- 
tion of the equipment used. Table 16 contains assumed nominal values 
of the probability terms required to compute the total catastrophic 
accident probability Pa- All fault rates are based on a 250 second 
exposure period. For Strategy A and initiation Option 1, Table 17 
illustrates the effect of improving the primary equipment failure 
rate Pgp using the values given in Tables 14 and 16. The safety 
specification of lO"^ cannot be met; the limiting factor is the 
missed alarm probability Table 18 shows the effect of improv- 
ing the primary equipment monitor missed alarm rate here again 

the safety requirement of 10~^ cannot be met with an equipment fail- 
ure rate of lO'^. 

When using the baseline data from Table 16, consider the effect 
of varying the primary equipment monitor false alarm and missed 
alarm rates (Pp^^g ^MAE^ with and without the ILM when Strategy 
A is used. In Table 19, Case 1 illustrates (via nximerical example^ 
that system performance will indeed be enhanced by an ILM, provided 
the fault detection performance of the ILM CPp^j and can be 

implemented. Case 2 illustrates that incorporation of an ILM does 
not improve overall performance appreciably if the normal missed 
alarm rate is reduced to lO'^. Case 3 shows that incorporation of 
an ILM using takeover Option 2 is insufficient to meet the safety 
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TABLE 16 . - NOMINAL VALUES OF PROBABILITY TERMS REQUIRED 
TO COMPUTE P^ ' ' 


PROBABILITY 

NOMINAL 

VALUE 

COMMENT 

^EF 

10"^ 

MTBFa. 700 Hours; Autoland/MLS 
(Primary) Equipment Failure 

. ^ILM 

o 

1 

MTBF'v 700 Hours; ILM Hardware 
Failure Rate 

^fual 

0.9 

Automatic Landing Catastrophe 
With Failed Primary Equipment 

p 

nual 

10-8 .. 

Automatic Landing Catastrophe 
Under Normal Operations 

P 

FAE 

1 

o 
1 — 1 

Primary Monitor False Alar , 
(Nuisance Disconnect) 

^MAE • 

O 

1 

Primaty Monitor Missed Alarm 
(Undetected Failure) 

^FAI 

lO""^ 

ILM Monitor False Alarm (Nuisance 
Disconnect) 

^MAI 

lO'-^ 

ILM Monitor Missed Alarm (Unde- 
tected Failure) 

■ ■ 


requirements, although there is almost two orders of magnitude im- 
■provement in P^ by using the ILM. Consequently, the other options 
in Table 11 were examined by repeating Case 3. The ILM performance 


measures' Pp^j and Pj^j were' adjusted to achieve 10 


-7 


for P, 


Cases 4 and 5 in Table 19 show the result of considering these 
options. For -the numerical values chosen. Option 3 is acceptable. 
Here, stringent requirements -are placed on the ILM performance. 
Option 4 is -preferred because the ILM false alarm and missed alarm 
rates required are more easily implemented in hardware than those 
required for Option 3. • 
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TABLE 17. - EFFECT OF IMPROVING PRIMARY EQUIPMENT FAILURE 

RATE Ppp ON PROBABILITY OF CATASTROPHE ACCIDENT 

^A 


mm 


SAFETY LIMITING FACTORS 

10'^ 

1.2 X 10'5 

^EF 

10-5 

3 X 10"^ . 

^EF ’ ^MAE 

10"^ 

2 X 10"^ 

^MAE 


TABLE 18 . - EFFECT OF IMPROVING AUTOLAND MONITOR MISSED 
ALARM RATE Pj^^g ON P^ 


^MAE 

Pa 

SAFETY LIMITING FACTORS 

lO'l 

1.2 X 10*5 

Pmae 

10 '^ 

4.9 X 10 "^ 

Pmae’ 

10"5 

4.1 X 10 "^ 

P P 

*^MAE’ EF 


TABLE 19 . - RESULTS OF CATASTROPHIC ACCIDENT PROBABILITY 
COMPUTATIONS 


CASE 

ASSUMED VALUES 

FOR 

OPTION 1 

P^ FOR ILM 

PpAE 

*’mae 

PpAI . 

^MAl 

OPTION 

VALUE 

1 

lO""^ 

10 '^ 

10 “'^ 

10 '^ 

1.2 X 10-3 

2 

10-2 

2 

10 “^ 

10 “"^ 

10 “"^ 

10-2 

4 X 10-3 

2 

10’^ 

3 

10 “^ 

10-^ 

10 '"^ 

10 ’^ 

2.2 X 10-3 

2 

3.7 X 10-2 

4 


10-3 

3 X 10"^ 

2 X 10’^ 

2.2 X 10-3 

3 

•vlO -2 

% 

5 

10 '^ 

10-3 



2.2 X 10-3 

4 

-vlO -2 


59 



























A similar comparitive analysis of the various cases listed 
in Table 19 can be performed for Strategy B. The main point to be 
made by the above examples is that the answers to questions raised 
at the beginning of the chapter are very much system dependent. 


Summary 

The method of providing overall system safety during the 
design of all advanced avionic systems with autoland and ILM (par- 
ticularly under low visibility conditions) is presented in this 
chapter. This is done in the context of primary monitor and 
independent landing monitor design. 

The basic accident probability equation is used to generate 
performance specifications for fault detection, discrimination, and 
recovery. The key parameters governing the fault detection/dis- 
crimination portion of the system are the false alarm rates, Pp^p/ 
PpAi (nuisance disconnect), missed alarm rates, P{ 4 ae/Pi 4 Ai (unde- 
tected failure) , and equipment failure rates (Pgp/PjLM^ ‘ Addition- 
al factors include the ILM input measurement sampling rate and 
absolute maximum time to detect and discriminate. The key para- 
meters governing fault recovery performance are the probabilities 
of emergency landing failure (Pele^^ELI^ * probability of go-around 
failure (Pgae^^GAI^ probability of manual landing failure 

^^MLE^^MLI^* fundamental basis for the justification of an 

ILM in an autoland system is seen to be a reduction in the prob- 
ability of catastrophic accident while executing a landing or go- 
around. This basis also led to a procedure to resolve conflict 
between primary autoland and ILM monitors. 

The system safety equation governs the performance tradeoffs 
in the equipment reliability, false alarm and missed alarm rates 
of the primary monitors and the ILM. Moreover, it also governs 
the required level of safety while executing a go-around or a 
landing decision. 
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IV. FAULT DETECTION AND DISCRIMINATION 


The allocation o£ total accident probability to meet safety 
requirements is performed in Chapter IV. The relationship between 
the system safety equation (4) and the performance specification 
for the fault detection and discrimination subsystem is illustrated 
in Figure 1. The specification is made in terms of the allowable 
false alarm rates, , (nuisance disconnect), missed alarm 

rates, (undetected failure), and the inherent equipment 

failure rates (Ppp/^iLM)- Promising ILM software impl^entations 
incorporating fault detection and discrimination algorithms are 
now evaluated with reference to this specification, to ensure that 
the resulting avionics system meets the allowable accident proba- 
bility- Thus, to select a specific scheme, the following points 
are addressed: 

1. Is it possible to achieve the false alarm and missed and 
alarm rate performance required by the ILM? 

2. Does the hardware implementation technology allow the 
desired equipment failure rates to be met? 

3. How many measurement samples of a state are required to 
determine that a fault has occurred? 

4. How accurate must each state be measured by the ILM? 

5. How can the ILM be used to discriminate between the types 
of system faults? 

6. How much will the error state build up before the ILM 
detects that the fault occurred? 

This chapter begins by summarizing the main premises, arising 
from operational factors, on which the ILM hardware implementation 
and algorithm design are based. This is followed by modeling of the 
representative nature and magnitude of faults to be detected and dis- 
criminated. Then, two practical fault detection algorithms are pre- 
sented together with the associated assumptions and computer simula- 
tion results. Subsequently, the philosophy of fault discrimination, 
taking into account operational constraints, is discussed. The sen- 
sors required- -to measure particular aircraft states, to implement 
the fault detection and discrimination scheme- -represent a signifi- 
cant portion of the ILM information requirements. Finally, the 
areas of required further work are summarized. 61 



Main Premises and Fault Models 


The premises used in the ILM fault detection monitor design 
are as follows: (1) minimize the interconnection to the primary 

autoland system (e.g., sensors, servos, signal levels, etc.)> (2) 
provide various levels of pilot involvement in the performance 
assessment, and (3) perform the assessment in terms of the present 
rather than the future (or predicted) position. Premise (1) allows 
avoiding the hardware problems of primary system reliability reduc- 
tion, due ft additional interconnections, and the consequent re- 
duction in system safety. Premise (2) provides that the output 
of the ILM not be limited to simply a go/no go indication. Rather, 
it provides the option of a display format to enable the pilot to 
assess continually changes in performance and to develop a confidence 
for ILM generated commands over a period of usage. Premise (3) ac- 
knowledges the complex nature of making a prediction regarding future 
events, in the presence of nonstationary wind disturbances, on an 
aircraft possibly flying a curved decelerating flight path. Con- 
sequently, the failure detection algorithms only assess whether the 
current "state" is "abnormal". 

Prior to discussion of fault detection and discrimination tech- 
niques, it is necessary to delineate the nature and magnitude of the 
faults under consideration. 

Conventional autoland designers perform a laborious failure 
modes and effects analysis (FMEA) [18] to design the autoland hard- 
ware monitors. The two basic monitoring techniques are comparison 
and on-line monitoring [20] . Comparison monitoring is performed 
by comparing the outputs of two identical systems, and on-line 
monitoring is performed by measuring key signal parameters as a func- 
tion of time (e.g., voltage amplitude and phase). The iterative 
design process of FMEA is conducted by analyzing the effect of 
faults (in terms of signal characteristics) at different points in 
a subsystem and then designing the minimum cost monitor to detect 
the fault before its effects become unacceptably large. Often 
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this is a trial and error process; at each step in this iterative 
process, the fault monitor has to be moved electrically closer to 
the point in the subsystem where the fault is likely to occur. Ulti- 
mately, the monitor performance is improved until the fault detection 
specification for the overall avionics system can be met. The 
resulting design is highly aircraft/avionics system dependent and 
must be reworked for each new aircraft design. 

On the positive side, . usage of autoland system hardware 
monitors results in minimum time- to-detect any failure that is con- 
sidered to be hazardous to normal flight operation and "not highly 
improbable." Indeed, the Federal Air Regulations (FAR's) require 
onboard indication of the operational status of all important sys- 
tems and sensors. Specifically, the FAR's require that the crew 
be informed visually and orally of an autopilot malfunction or dis- 
connection and the current autoland redundancy level. As noted pre- 
viously, the MLS system, as currently planned, also has hardware 
monitors to inform the pilot and crew of malfunction and redun- 
dancy level. In general, the time- to-detect faults for the MLS 
and autoland hardware monitors is on the order of one second. 

The purpose of the ILM fault detection subsystem is to (a) 
detect an "abnormal" condition, and (b) discriminate between the 
possible "failures". Due to the operational premise (1), stated 
previously, the ILM monitors must detect a failure by observing 
only the failure's effect on the aircraft state. Consequently, 
one can expect the ILM time-to-detect to be longer than that of 
a well-designed hardware monitor. 

The possible system faults that the ILM can detect can be 
categorized into (a) autoland (e.g., guidance computers, autopilot), 
(b) MLS, (c) "out-of-design envelope" wind, and (d) ILM system 
malfunctions. Since minimal interconnection to the primary system 
is proposed, the failures are detected by measuring perturbations 
to the nominal aircraft trajectory (e.g., 6, (j), ip , x, y, z, a, 0, 
p, q, r) with independent ILM sensors. 
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It is not necessary at this point to model explicitly the exact 
aircraft dynamics which results from a systems fault. The state 
perturbations because of a fault can be assumed to change either 
as a step or a ramp. For example, a fault causing the aircraft to 
roll would produce a ramp output from a vertical gyro and a step 
output from a roll rate gyro. Also, certain MLS beam noise or wind 
conditions could cause step or ramp changes in the measurement 
sensor output covariance. Therefore, the fault detection schemes 
can be based on measuring the changes in the mean and variance of 
each measurement sensor's output. 

The measurement data have a certain amount of normal noise. 

This noise is surpressed by having a threshold which the state er- 
ror must exceed before it can be considered "abnormal". 

The fault detection system analysis considered potential faults 
in terms of their effect on the aircraft state. The typical range 
of state error buildup rates chosen for this study are presented in 
Table 20, for roll, sideslip, pitch and heading. Note that hard- 
over faults are easier to detect (i.e., small time-to-detect) and 
more difficult to correct. On the other hand, slowovers are dif- 
ficult to detect (i.e., long time-to-detect) and somewhat easier 
to correct. The principal difficulties in detecting slowovers is 
due to the effect of slowovers being masked by sensor noise and 
the nominal state activity due to the external environment (i.e., 
turbulence) . Table 21 gives the assumed nominal noise activity on 
a one sigma basis, in the roll, pitch and heading states due to the 
external environment, normal autoland control activity and normal 
MLS beam noise/bends. 


Fault Detection Algorithms 

Prior to describing the specific detection scheme proposed 
and the associated simulation results, some comments regarding the 
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TABLE 20 -TYPICAL STATE PERTURBATIONS CAUSED BY 
SYSTEM FAULTS 


TYPE OF 
FAILURE 

ROLL RATE 
4> CVSEC) 

SIDESLIP RATE 
h (°/SEC) 

PITCH RATE 
0 (°/SEC) 

HEADING RATE 
^ (°/SEC) 

HARDOVER 

5 

7.5 

2 

2 

SLOWOVER 

0 .01 

0 .02 

-0.01 (NOSEDOWN) 
+0.1 (NOSEUP) 

0 .1 


TABLE 21. -ASSUMED NOMINAL STATE ACTIVITY DUE TO 
ENVIRONMENTAL NOISE (la) 


STATE 

ROLL 

SIDESLIP 

PITCH 

HEADING 

NOMINAL 

0.32° 

0.32° 

0.65° 

0.32° 


methodology are in order. Recall from the previous chapter that 
the basic pilot action for Strategy A, on failure detection, is to 
initiate a go-around. Because of time criticality of the approach, 
the precise cause of the failure is of secondary importance. Thus, 
the fault detection process receives major emphasis at this point. 

Basic assumptions in the fault detection scheme are that (1) 
the sequence of samples obtained from the sensors on each state 
arise from a normal Gaussian distribution and (2) the samples are 
uncorrelated. These assumptions are made because no results exist 
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in the literature without these assumptions at this time. The for- 
mer assumption of "normality" does not have as significant an impact 
as the latter. From the physics of the problem it is clear that 
sequential samples of aircraft state measurements are in fact cor- 
related, but these can be made uncorrelated by a whitening filter 
[21] or an ARMA (auto- regressive moving average -- minimal order 
discrete differential equations modeling the input/output behavior) 
model [21]. Both these approaches require the availability of 
flight test/simulator data, and additional computation time is re- 
quired for the whitening process. In any case, the robustness of 
any statistical sample testing algorithm to test assumptions must 
be determined by simulation methods. 

Difficulties arise in detecting the faults from the measured 
state perturbations because: (1) the allowable time to detect 

(from a recovery point-of- view) for hard failures is limited to 
some maximum time T and (2) the effect of slowovers are masked 
by the effect of the normal disturbances indicated in Table 21. An 
increase in the wind disturbance magnitude or a performance degrada- 
tion in the MLS or autoland system is reflected by an increase in 
the variance of the system state statistics. On the other hand, 
a handover or slowover failure results in a change in the mean 
values of some or all of the states. 

In summary, the statistical tests should detect changes in mean 
and/or variance from the "nominal", within T seconds, using a fixed 
sampling rate. Also to meet ILM performance constraints, the de- 
tection logic should have a fixed false alarm (nuisance disconnect) 
rate Pp^j and a fixed missed alarm (undetected failure) rate of P]q^j* 
Based on industry data and the calculations of the previous chapter, 
a typical set of numerical values of these parameters is presented 
in Table 22. 
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TABLE 22.- FAULT DETECTION ALGORITHM PERFORMANCE 

SPECIFICATION 


T(SEC) 

K (SAMPLES/SEC) 

PpAI 


2 

10 

1 

o 

r— 1 

10"^ 


A number o£ statistical tests can be used, depending on the 
hypothesis being tested [22-25]. The applicable tests to detect 
mean and variance changes, are summarized in Table 23. In the 
leftmost column, the hypotheses being tested are tabulated; these 
fall into two main categories -- mean changes and variance changes. 
For each of these categories, there exists the univariate sample 
case and the multivariate sample case. 

As noted in the references, a number of unsolved problems re- 
main in the area of statistical testing. One particular case is 
the generation of fault detection operating characteristics for 
the t test. Current literature indicates that these characterist- 
ics must be determined by extensive Monte Carlo computer simulation 

Let { X . } ^=1 be a sample from a normal distribution with 
^ ^ 2 

constant mean and variance Oq . To test whether a given sample 

{ X. } satisfies the null hypothesis (o^ = o or the alternate 

2 2 ^ 

(a ^ perform either a likelihood ratio test [22] or 

a chi-square (x^) test. Even under the assumptions of normality 

and independent samples, the likelihood ratio test is a complex 

function of the sample variance. Analytical or empirical results 

on the distribution of the likelihood ratio tests, necessary to 

compute test thresholds, are not available in literature. There- 

fore, in practice, a chi-square (x ) test for the null hypothesis 

2 

(denoted by a = ) is used. This test is also used here, 

for detecting univariate variance changes as documented in Table 23 


67 



av 

00 


TABLE 23. -APPLICABLE PARAMETRIC STATISTICAL TESTS 


HYPOTHESES 

UNIVARIATE 

MULTIVARIATE (ONE-SIDED NOT APPLICABLE) 

MEAN 

a KNOWN 

a UNKNOWN 

a KNOWN 

a UNKNOWN 


Z TEST: 

t TEST; 

TEST 

T^ TEST: 


^0 = i K 

r: CORRELATION 
COEFFICIENT 
(BI-VARIATE) 

ROBUST TO NOR- 
MALITY ASSUMP- 
TION „ 

X = i EX. 
^ i==l ^ 

(VECTOR 

CASE) 

T^ = N(I-y^)'^, S'^(X-y^) 

= (N-1) - 1) 

S = COVARIANCE MATRIX 

» CONFIDENCE LEVEL SETTING 

0 

VARIANCE 

MAXIMUM LIKELIHOOD TEST 

MAXIMUM LIKELIHOOD TEST 


LARGE SAMPLE APPROXIMATION: 

LARGE SAMPLE APPROXIMATION: T^ 

. oW, 

U KNOWN/UNKNOWN 

1 ^ — 2 

U KNOWN/ UNKNOWN 

a >a^ 
0 

^2 . ;s2 

° 

0 




NOT ROBUST TO NORMALITY 
ASSUMPTION 






To test the hypothesis o£ whether the mean y is equal to 
some constant Uq (denoted by : y = y^) or it is not (denoted 

by y / student's t test is used when the variance 

is unknown. Unlike the test, the t test (see Table 23) is robust 
(i.e., insensitive to moderate deviations from the assumption of 
normality) when the sample is random. But unlike the x test, 
analytic expressions or tabulated results are not available to de- 
termine the test threshold setting to achieve a prespecified false 
alarm rate (n) and missed alarm rate (c) • 

2 

For the x test, Figure 13 presents the variance ratio that 

can be detected as a function of sample size (n) , false alarm rate 

(n) and missed alarm rate (5) [24] . These curves were obtained 

by evaluating analytic expressions of the x test using numeric 

values of the false alarm (n) and missed alarm (^) rates. Based 

on requirements defined in Table 22, it was determined that to detect 

an "abnormal" condition in a given signal, the change in variable 

2 2 

from "normal" (a^ ) to "abnormal" (a^ ) must be 9.55. The cor- 
responding null and alternative hypotheses for the x^ test are 
shown in Table 24 for the roll, pitch, and heading axes. 

The proper threshold setting and the corresponding mean change 
required to identify an abnormal signal in the t test had to be 
determined by computer simulation. This is as yet an analytically 
unsolved problem. 


TABLE 24. -THE NULL AND ALTERNATE HYPOTHESIS 
FOR THE x^ test 


STATE 

ROLL 

PITCH 

HEADING 

COMMENTS 1 

NOMINAL 



0.32° 

Ho'. 

NULL HYPOTHESIS 

■DETECTABLE 

— 

o 

0 

2.0° 

1.0° 

Ha = 

ALTERNATIVE HYPOTHESIS 
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CM E CM O 

D I D. 


Step 

Variance 

Change 


n - False Alarm Rate 
C - Missed Alarm Rate 


Ramp 

Variance 

Change 


Nominal 
Variance o 
(Turbulence, 
Beam Noise, 
Etc. ) 


Sample Size, n 


FIGURE 13. -DETECTION CHARACTERISTICS OF THE x TEST 


I 


For the present study, computer simulations were performed to 

2 

validate the effectiveness of the t test and x test, for the uni- 
variate case, using step and ramp changes, in the mean and variance 
of the measured state- The performance of the tests was evaluated 
using 10,000 runs of 50 samples each. To obtain more statistically 
correct results would require more runs- This was not done to mini- 
mize computation costs- In each case, step and ramp changes to the 
measured state, because of faults, were introduced after 20 samples. 
The form of these changes are shown in Figures 14a and^l4b., respec- 
tively. 

The corresponding simulation results for a mean change and a 

variance change are shown in Figure 15a and 15b, respectively. 

These figures indicate that, as expected, step faults are easier 

to detect than ramp faults. Simulation results are summarized in 

2 

Table 25. It can be seen that x test is not robust to changes in 

2 

the mean. In other words the x test, used to detect changes, 
has a high false alarm (p) rate for changes in the mean. On the 
other hand, the t test, used to detect mean changes, does not 
cause a false alarm when there is a change in variance. Thus, the 
t test is robust to variance changes. 

The robust feature of the t test can be used to alleviate the 
2 

shortcoming of the x test, when both tests are used simultaneously. 

A simple hardware implementation of the required logic is shown in 

2 

Figure 16. Essentially the shortcoming of the x test is overcome 

by declaring a change in variance only if the t test does not flag 

2 

a change but the x test does. 

A significant amount of additional work needs to be performed 
on detection algorithm methods to answer a number of pertinent 
problems : 


1. Determination of threshold setting for the t test as a 
function of the samples size (n) , false alarm rate Cn) 
and missed alarm rate (^) . 
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Population Mean, y ^ Population Normalized Variance, a^/o 



Sample Number, n 

FIGURE 14 a. -STEP AND RAMP FAULT IN VARIANCE 



L 1 1 ^ I 1_ 

0 10 20 30 40 

Sample Number, n 


figure I4b-STEP AND RAMP FAULT IN MEAN 


2. Methodology for threshold setting and false alarm/missed 
alarm rate computation for state errors with ramp growth 
characteristics . 

3. Extension of (1) and (2) to the vector test (i.e., the 

and tests) . 


Fault Discrimination 

In examining the results of the previous chapter, one notes 
that a primary requirement is to detect the presence of a fault. 



FIGURE 15a.- FREQUENCY DISTRIBUTION OF FAULT DETECTION 
FOR MEAN CHANGE 
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Frequency of First Alarm 



Sample Number, n 


FIGURE ISb. -FREQUENCY DISTRIBUTION OF FAULT 
DETECTION FOR VARIANCE CHANGE 
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FIGURE 16 . -PROPOSED DETECTION LOGIC TO PROVIDE 
ROBUSTNESS IN TEST 




TABLE 25.- COMPUTER SIMULATION RESULTS FOR THE AND t TEST 


INPUT CHANGE 
CHARACTERISTIC 

FALSE ALARM RATE 
(n) 

MISSED ALARM 
RATE(S) 

COMMENTS 

% 

TYPE 

ELEMENT 

x2 

t 

X2 

t 

Step 

Mean 

0.366 

(High False 
Alarm Rate) 

10'^ 

-- 

10-' 

Excessive n for Mean Change, 
Using 

Variance 

lO'"^ 

0 

10'^ 


Increased Turbulence/Beam/Noise/ 
AP Degradation 

Ramp 

Mean 

0.003 

10-4 

-- 

IQ-' 

Excessive n for Mean Change, 
Using x^ 

Variance 

10’^ 

3 X 10"4 
(Small 
Alarm 
Missed) 

LJ 

10"^ 


Increased Turbulence/Beam/Noise/ 
AP Degradation 






























To discriminate among the various fault categories, one procedure 
is to check sequentially all the autoland/MLS hardware monitor 
flags and to identify the fault source by a process of elimination. 
One posible discrimination flow chart, to accomplish this, is 
presented in Figure 17. Basically, the priority for performing the 
sequential discrimination is to perform the validity checks 
first on the subsystems (e.g., autopilot) whose failures lead to the 
greatest hazard probability. 

An alternative methodology for fault distrimination without 
the use of existing hardware monitors is to compare signals from 
independent sources for consistency using simple system dynamic 
mdoels. For example, a fault causing a roll angle must eventually 
show up as a lateral displacement. Assuming that the ILM position 
and attitude information is independent. Figure 18 shows sketches 
of the measurement traces due to faults causing lateral deviations 
in the error state. Shown are typical amplitudes of ILM gyro 
measured roll angle (4>) , ILM y-sensor measured lateral position 
(y^) , and MLS measured lateral position (y^^^) . As can be seen in 
Figure 18a, if both ILM gyro and y-sensor data are available, auto- 
land, MLS, and ILM faults can be distinguished. With only y-sensor 
(Figure 18b) or gyro (Figure 18c) data, an autoland failure can be 
distinguished from an ILM or MLS fault, but the ILM and MLS faults 
can't be differentiated directly. However, if the presence of a 
fault is the only information required, the two sources are 
adequate. Similarly, a single source (either y-sensor or gyro) 
could be used to determine that a fault of some sort is present 
(ILM, MLS, or autoland). 



start 



FIGURE 17.- 



*Existing Hardware Monitors Used To 
Discriminate Among Possible Faults 


UENTIAL DISCRIMINATION TEST FLOW CHART 
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ILM y Sensor ^ 

Autoland Fault ^ 

ILM or MLS Fault ^ 

ILM or MLS Fault ^ 

(b I 

<(> 





Yi 

(J) 



Ym 






ILM Gyro Fault ^ 

MLS Fault ^ 

Autoland Fault ^ 

Autoland Fault * 


(a) Three Independent Signals 


(b) No ILM Gyro 


(c) No ILM y Sensor 


FIGURE 18.- LATERAL SIGNAL TRACES INDICATING ILM, MLS, OR AUTOLAND FAULT OCCURRENCE; 

(a) ILM ASSUMED TO HAVE BOTH POSITION (y^) AND ATTITUDE (<()) INFORMATION; 

(b) ILM HAS POSITION INFORMATION ONLY; (c) ILM HAS ATTITUDE INFORMATION 
ONLY. 


V. FAULT RECOVERY PERFORMANCE 


The fault detection algorithms described in the previous chapter 
provide the pilot with an alarm advising him of the existance of 
a fault. The results of the safety analysis can be used to recom- 
mend an appropriate recovery decision (i.e., manual takeover to 
land or go-around). However, the validity of the choice is related 
to the time required to recover from the error state induced by 
the fault. At the point of fault detection, due to the statistical 
nature of the fault occurrence and detection process, the system 
state X is described by a mean deviation from nominal, x, and a 
covariance, P, characterizing dispersions about this mean in a 
probabilistic sense. As noted in Fig. 1, specific fault* recovery 
constraints, imposed by the safety analysis are defined in terms 
of the probabilities of emergency landing failure 
probability of go-around failure C^gAE'^^GAI^ probability of 

manual landing failure enable the pilot to recover 

from an upset and, subsequently guide the aircraft to a landing or 
go-around within these constraints, necessitates the incorporation 
of additional sensors and display parameters. The set of sensors 
and display parameters necessary to meet the above mentioned safety 
constraint, characterize the ILM information and display require- 
ments. 

* 


The objective of this chapter is to present an evaluation of 
the performance of the pilot-aircraft-display system in recovery 
from an upset condition, based on the analysis described in Chapter 
IV. This performance of t ime - to-correct the fault, can be used to 
define quantitatively the altitudes which govern the recovery 
strategy. First, the technique of evaluating post-fault system 
performance (namely, covariance propagation) is presented in an 
outline form; a more detailed exposition is contained in Appendix 
B. Subsequently, simulation results for a particular set of numer- 
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ical values corresponding to a linearized model of the terminally 
configured vehicle (B-737) are presented. These preliminary results 
allow an assessment to be made of the fault recovery performance 
as a function of initial state covariance, display accuracies, and 
pilot response characteristics. 


Fault Recovery Performance Assessment By Covariance Propagation 

Two distinct techniques are available to evaluate post- fault 
system performance; these are the Monte Carlo analysis [15] and 
covariance propagation [21] . The former technique has been exclu- 
sively used by a number of commercial aircraft system developers 
to generate certification requirement compliance data for Category 
III autoland systems [15]. The latter technique has mainly been 
used in analytical studies. 

The principal advantage of Monte Carlo methods over covariance 
propagation is that the results are more accurate. The Monte Carlo 
simulation allows the inclusion of all nonlinear details of the 
overall system being studied. On the other hand, the computation 
time for the Monte Carlo simulation can be excessive, particularly 
when the tails of the outcome probability distribution are to be • 
evaluated. Moreoever, the time required to develop the program is 
quite substantial. 

Because the present study focused on the development of a 
methodology for determining information and display requirements, 
the covariance propagation technique was selected to study recov- 
ery performance. Although the results are less accurate than those 
obtained by Monte Carlo analysis, this novel application of the 
technique does yield useful results pertinent to the complex, costly, 
and time-consuming process of advanced aircraft ILM design. 


80 



The application o£ the covax.iance propagation technique to 
evaluate recovery performance requires a linear small perturbation 
system model or sequence of models. These models define the air- 
craft-autoland-display-pilot system as it proceeds along the terminal 
area landing trajectory. Detailed analytical characterization of 
the system model and the covariance propagation technique is pre- 
sented in Appendix B. 

Figure 19 shows a system level block diagram for the manual 
control of the aircraft during a particular flight condition along 
the trajectory. The three essential subsystems in this diagram 
are the aircraft model, the display model, and the pilot model. 



FIGURE 19.- MANUAL CONTROL SYSTEM BLOCK DIAGRAM 
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Note that the system model definition is in terms of perturbations 
about the nominal. The effects of sensor errors (e.g., MLS, ILM, 
altitude) are modelled by the noise variance introduced by 

them. Similarly, display noise is modelled by the noise variance 
v^. The basic assumption in modelling the pilot is that he behaves 
as an optimal state estimator followed by a feedback controller 
to null out perturbations from the nominal [26,27]. To model the 
effects of pilot muscular motor noise in implementing these man- 
ually generated optimal control laws, a noise term w^^ is introduced. 
Finally, to model external gust- turbulence disturbances another 
noise term w^ is used. 

The state of the system at the point of fault detection is 
modelled by the mean state vector, x, offset from the nominal (null) 
trajectory. A covariance matrix P represents the dispersion of 
the state about this mean, in a statistical sense. The closed loop 
aircraft-display-pilot feedback control system performance is 
obtained by numerically integrating the corresponding differential 
equation governing the propagation of the covariance matrix as a 
function of time. Typical covariance propagation results are graph- 
ically illustrated for the landing and go-around tasks, in Figures 
20a and 20b, respectively, for the altitude state. 

To determine whether the landing or go-around is "successful”, 
the propagated covariance on a {(mean) ^ k (sigma)} basis must be 
entirely within the appropriate state constraints (e.g., obstacle 
clearance, angle-of-attack limit). The probability of catastrophic 
failure due to a landing or go-around, as stated in the preceding 
error budget discussion and Appendix A, dictates the corresponding 
numerical value of k. The relationship between the parameter k 
and the failure probability is quantitatively presented in Appendix 
B. 
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FIGURE 20a. -MANUAL LANDING TASK FAULT RECOVERY 




FIGURE 20b. -MANUAL GO-AROUND TASK FAULT RECOVERY 
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At each point along the approach trajectory, the error state 
covariance must be within the appropriate state constraints. If it 
is not, then it can be concluded that for the assumed initial state 
covariance and pilot model parameters, fault recovery at a sufficient- 
ly low level of catastrophe probability is not feasible. 

The "time-to-correct” , from an initial upset condition at fault 
detection, is evaluated in this fashion. A state covariance matrix 
characterizing the steady state covariance (due to external distur- 
bance) when no faults are present is compared to that obtained from 
covariance propagation from the initial fault state. When the 
latter covariance is entirely within the former, the corresponding 
time-to-correct is obtained. Details on this recovery termination 
condition are given in Appendix B. 


Besides evaluating probability of catastrophe and time-to- 
correct, covariance propagation allows convenient analysis of the 
sensitivity to the magnitude of sensor errors (v^) , display errors 
(Vd) > external disturbances (w^) , and the pilot model parameters 
for the estimator and the controller. In the present study, partial 
results relating some of these factors were obtained. A substan- 
tial amount of further work, particuarly with respect to pilot model 
parameter sensitivity, remains to be performed. 

Two particular phases of flight, specifically the flare and 
go-around maneuvers, require further comments. Both these maneuvers 
involve non-linear system dynamics. The flare maneuver has a non- 
linear control sequence and non-linear ground effects on the aero- 
dynamic coefficients. The go-around maneuver is nonlinear because 
of the limiting control s and abrupt change in flight conditions in- 
volved. Consequently, to obtain covariance propagation of reason- 
able fidelity to the true situation in these regimes, it is neces- 
sary to model these phases by a sequence of linear models rather 
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than a single model. This requirement detracts from the principal 
features of covariance propagation, namely, ease of implementation 
a'nd small computation time. In any case, the results of covariance 
propagation must be treated as a first approximation to advanced 
aircraft ILM design. These results must be validated by Monte 
Carlo analysis using the nonlinear equations of motion, ground- 
based cockpit simulation, and finally a prototype flight test. None- 
theless, covariance propagation does serve to provide approximations 
to the sensitivity of time- to-correct to system parameter variations. 
It also serves to determine \vhich system parameters should be exam- 
ined more closely in subsequent analysis and testing. 


Example Covariance Propagation Simulation Results 

To determine the pilot recovery performance after fault detec- 
tion, the longitudinal and lateral modes of the Terminally 
Configured Vehicle (TCV) were modeled by linearized sets of 
perturbation equations for the aircraft and an optimal control model 
for the pilot. Numerical data on these models are presented in 
Appendix B. 

Starting with an initial state error covariance manifold (a ) 
and display error statistics , the objective the the simulation 

was to determine the sensitivity of time- to-recover to changes in 
and This was done for both the longitudinal and lateral 

axes recovery decisions. 

The baseline system was characterized by the set of numerical 
values in Table 26. These baseline standard deviations were varied 
as shown in Table 27. Based on the error budget requirements, the 
probability of catastrophic accident, during a go-around or landing 
decision, was constrained to be about 10 ^ (1 accident per 10,000 
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TABLE 26. -COVARIANCE PROPAGATION BASELINE DISPLAY ERROR (a ) 
AND INITIAL STATE ERROR ( 0 ^) STANDARD DEVIATIONS 


LONGITUDINAL ERRORS 


ILM Display a (9,u,a,h,R ) ={ 1°, .52 m/ s (1.7 Feet/s), 
Error: 

1°, .3 (1 foot), i . 5m (5 feet)} 


Initial 

State Error: (9 ,u,a ,h,Rg) 


LATERAL ERRORS 


{2°, .52m/s (1.7 Feet/s) , 

2°, 3.05m (10 Feet), 6.1m 

(20 Feet)} 


ILM Display a (<j),ij^, 3,L) = U°, 1°, 1°, 1 • 5m (5 Feet)} 

Error ^ 


Initial 

State Error: (<1) > B » P>t,L)= (1°, 1°, 1°, l°/s , l°/s , 

7.6m (25 Feet)} 


where 


9 - Pitch angle 
u - Normalized velocity 
a - Angle-of attack 
h - Altitude 
R - Slant range 


(j) - Roll angle 
ip - Heading angle 
3 - Sideslip angle 
p - Roll rate 
r - Yaw rate 

L - Lateral displacement 


decisions). This corresponds approximately to the four sigma (4a) 
covariance dispersion envelope as discussed in Appendix B. During 
each time step of the covariance propagation integration, this four 
sigma dispersion was constrained to lie within the appropriate aero- 
dynamic and obstacle clearance constraints, shown in Table 28. The 
time- to-correct was the time required to satisfy the flare point 
window, given in Table 28. 
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TABLE 27. - FAULT RECOVERY TIME -TO -RECOVER SENSITIVITY RESULTS 
VARIABLE ILM DISPLAY ERRORS AND AIRCRAFT STATE 
ERRORS (DUE TO FAULTS) 


AXIS 

CASE 

ILM 

DISPLAY 

INITIAL 
STATE ERROR 

LANDING 
(4a) SEC 

GO AROUND* 
( 40 ) SEC 

COMMENTS 


1 

o - O3 

0 - 0 ^ 

14 

6.2 

Baseline 


2 

a * 2a ^ 
s 

0 . 0 ^ 

14 

6.2 

Doubling Display Error 

LONGI- 

TUDINAL 

3 

0 - 0 ^ 

0 - 2a^ 

18 

8.8 

Doubling Initial Covariance 


4 

0 - Oj 

a - ajl 

12 

4.0 

Halving Initial Covariance 


5 

0 - a^/2 

0 = aJ2 

12 

4.0 

Halving Initial Covariance 
and Display Error 


6 

a = Os 

0 = Oc 

18 

10.2 

Baseline 


7 

0 = 2o^ 
s 

0 « 0 ^ 

18 

10.2 

Doubling Display Error 

LATERAL 

8 

o » Os 

a * 2a ^ 
c 

24 

14.8 

Doubling Initial Covariance 


9 

0 » 0 ^ 
s 

CM 

U 

0 

D 

16 

8.0 

Halving Initial Covariance 


10 

0 = Q /I 

0 = aJl 

16 

8.0 

Halving Initial Covariance 
and Reducing Display Error 


* Additional Delay To Incorporate Go-Around Height Loss ~3 Sec 


Numerical values for the "time- to-correct" for variations in 
(a^) and (cy^) are given in Table 27. For example, in the baseline 
configuration (Case 1) it takes 14 sec. (see Table 27) to recover, 
on a 4a basic (i.e., probability of catastrophe=10~^) , from the 
initial state covariance (see Table 26) at fault detection, to 
the flare point window (see Table 28) . 

Typical plots of the recovery envelopes for altitude (a longi- 
tudinal axis state) and roll rate (a lateral axis state) are shown 
in Figures 21a and 21b, respectively. This figure illustrates typ- 
ical post- fault recovery envelopes following the landing and go- 
round decisions. For a fault causing an upset in the lateral axis, 
the sequence of recovery actions is first to stabilize the aircraft 
in the lateral axis and then to execute a landing or a go -around. 
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Vertical Flight Path D 



(a) Longitudinal Axis - Vertical Deviation 



FIGURE 21. -FAULT RECOVERY COVARIANCE PROPAGATION EXAMPLES 


TABLE 28. -ASSUMED AIRCRAFT RECOVERY LIMITS AND FLARE POINT WINDOW 



RECOVERY LIMITS 

FLARE POINT 

AXIS 

STATE 

MAX 

MIN 

WINDOW 

e, “ 

12 

12 

+ 0.5 


u, - 

0.15 

-0.15 

+ 0.02 



+ 22 

-10 

+ 0.5 


q > ®/s 

3 

-3 

+ 0.05 


L, m(£t) 

305(100) 

-30.5(-100) 

+ 1.5 (+5) 

Longitudinal 

Rg, m(£t) 

915(3000) 

-610(-2000) 

+3. 05 (+10) 



10 

-5 

+ 1 


«th 

5000 

-500 

+ 100 



15 

-15 

+ 1 



15 

-15 

+ 1.5 


3, ® 

5 

-5 

+ 1.5 


P. Vs 

5 

-5 

+ 0.5 

Lateral 

r, °/s 

5 

-5 

+ 0.5 


L, m(£t) 

152(500) 

-152(-500) 

+ 6.1 ( + 20) 



This sequence of actions is reflected in the recovery time listed 
in Table 27. Note that go-around recovery for a failure causing 
a lateral axis upset takes longer than that for a failure causing 
a longitudinal axis upset. 

For the longitudinal and lateral axis, the principal conclusions 

are : 


1 . 


The go-around recovery covariance converges more rapidly 
than the landing recovery covariance. 
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2. The time to establish a positive rate of climb is of the 
order of one second and that covariance converges to 90 
percent within three seconds. Note that these results must 
be used cautiously since they are based on linearized per- 
turbation models. 

3. The time required for the covariance to coverge increases 
with and 

4. For a landing decision, the covariance takes as much 
as ten seconds to converge. 

5. Because linear perturbation equations have been used, the 
go-around height loss does not show up on the plots. 

6. The lateral axis recovery takes longer than the longitudinal 
axis recovery due to the additional time required to sta- 
bilize the aircraft laterally. 

7. For the values of display error standard deviations 
considered, the recovery performance is insensitive to 
these errors . 


In summary, for the particular set of numerical values used on 
detecting a failure, the safer decision is to execute a go-around. 
Recalling that the time to detect is no more than two seconds, 
the total time for longitudinal go-around recovery from fault 
initiation is about eight seconds. This compares favorably with 
current FAA requirements. It is noted that an emergency landing 
decision is warranted only if the time to touchdown is of the order 
of less than three seconds. To resolve conclusively the strategy 
details below the flare height, computer simulations (manned 
and unmanned) must be performed using detailed nonlinear models 
incorporating ground effects and aircraft configuration change ef- 
fects at these heights. 
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VI. TOTAL SYSTEM PERFORMANCE, ASSOCIATED STRATEGIES, 
AND DISPLAY REQUIREMENTS 


Using the results generated by conducting the safety budget, 
fault detection and fault recovery analyses, this chapter evaluates 
total system performance and the resultant optimum pilot-crew ILM 
strategy. System performance is characterized by the total time 
(detection and recovery) curves for go -around and landing. This 
performance is characterized by the critical altitude (CA) and 
decision altitude (DA). These altitudes, in turn, define bound- 
aries to the ILM strategies for go-around and manual landing ini- 
tiation. Appropriate display concepts are proposed to implement 
the ILM strategy. The two distinct versions of these displays are 
the go-around prompter status display and the manual guidance dis- 
play. Associated sensor and computational requirements are also 
considered in this context. 


Total System Performance 

The total time curves for go-around and landing recovery are 
determined by summing together the time- to-detect and time-to- 
correct curves obtained from the fault detection and fault recovery 
analysis, respectively. Figure 22 shows a superposition of the 
time- to-detect curve for the variance change (y test) algorithm 
(see Fig. 13) and the longitudinal axis fault recovery (time-to- 
correct) curve (see Table 27) . These two curves are summed 
together for the same initial state error deviation (a) 
ratio, along the time axis. The multiple of standard deviations 
(a) to be used to assure that the probability of catastrophe dur- 
ing go around is lO"^, budgeted in Chapter III and Appendix B, was 
established as four standard deviations (4a) . The resulting total 
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FIGURE 22.- DETERMINATION OF TOTAL TIME (DETECTION/RECOVERY) FOR GO-AROUND TASK 
(BASELINE) IN LONGITUDINAL AXIS 



r 


time curve shows that the tolerable deviation ratio due to faults, 
decreases until t is less than or equal to Below 

no fault is tolerable without violating the required level of 
safety. 

The altitude on the nominal profile at which the time to touch 

down is equal to is defined as the critical altitude (CA) . 

Below this altitude the pilot/crew must prepare for an emergency 

landing, in the event that a fault occurs. This is because the 

error state due to the fault would no longer be recoverable with 

-4 

a probability of catastrophe during go around of less than 10 
(e. g. , 4a basis) . 

The ”time- to-detect" and ”time- to-correct" can be scaled up 
to correspond to five standard deviation values, for example, and 
then summed to yield a different total time curve. Using Table 
B-1 of Appendix B, this corresponds to a budgeted probability of 
go around catastrophe of 3.4x10 ^--a much safer go around. But 
the corresponding ^n^inl total time curve would be 

much larger. This illustrates the intuitively obvious concept 
that it is safer to execute a go around from a higher altitude 
(i.e., more time to touchdown). 

The total time curve for landing recovery is obtained in a 
similar fashion, as shown in Fig. 23. For the particular set of 
numerical values used, the minimum time for landing recovery, 
tmin2» equal to 22 seconds. The altitude at which the time 

to touchdown is defined as decision altitude (DA). 

Below decision altitude, no fault is sufficiently recoverable to 
execute a manual landing within the required levels of safety 
(i.e., 10'^). 

The portion of the go around recovery curve, in Fig. 22, and 
the landing recovery curve,. in Fig. 23, corresponding to recovery 
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Deviation Ratio - Angle-of-Attack 


Aerodynamic Limit 



1 I I I I 1 I : 1 I 

4 8 12 16 20 24 28 .82 

Seconds 

FIGURE 23,- COMPARISON OF TOTAL TIME FOR RECOVERY - GO-AROUND AND LANDING 


from large initial deviations (i.e., large recovery time) is of 
dubious validity. One can reasonably expect that the linearized 
small perturbation models used for the aircraft and the pilot are 
no longer valid under large perturbations from the nominal. The 
characteristics of this portion of the curve must be obtained by 
performing an extensive Monte Carlo analysis on a cockpit simulator 
with a detailed nonlinear aircraft model. 

' For the lateral axis recovery case, the pilot stabilizes the 
aircraft prior to executing a go around or a landing. Referring 
to Table 27, this requires an additional amount of time equal to 
four seconds. Thus, the corresponding recovery time curves and 

the t . *s would be increased by four seconds for recovery from a 

min 

lateral axis fault, maintaining the same level of system safety. 

The absissa of the total time curves (i.e.. Figs. 22 and 23) 
obtained in this manner, are translated to an equivalent height 
using the nominal landing sequence time-height correspondence in 
Fig. 5 of Chapter II. The results of Figs. 22 and 23 enable one 
to superimpose the allowable deviation envelopes (ordinate in Figs. 
22 and 23) on the nominal approach profile for each of the six 
longitudinal and lateral axis states. The allowable deviation 
envelope for one state, namely altitude, has been shown in Fig. 24. 
The critical altitude and decision altitude are 23 m (70 ft) and 
56 m (170 ft), respectively, for the numerical values used in this 
example. These altitudes can be compared with the currently de- 
fined nominal "alert altitude" (i.e., altitude at which an auto- 
land system must be fail operative to continue on automatic landing 
Category III weather) of about 26 m (80 ft), and the Category II 
"decision height" of 30.5 m (100 ft). 

A figure similar to Fig. 24 can be obtained, for system per- 
formance , for lateral axis faults . Basically, the allowable devi- 
ations for the same altitude are reduced, and the critical decision 
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Fault Deviation 



n Secs 
to TD (DA) 


FIGURE 24.- COMPARISON OF ALLOWABLE LONGITUDINAL FAULT 
DEVIATION ENVELOPES 


altitudes are increased to 30.5 m (100 ft) and 61 m (200 ft), 
respectively. These correspond to an additional recovery time 
requirement of four seconds above that for the longitudinal axis 
faults . 


The ILM system information and display requirements, implicit 
in these recovery time and aircraft state deviation envelopes, are 
functions of the assumptions made in the previous chapters and the 
appendices. By virtue of its definition as the measurement equa- 
tion, for example. Fig. 39 in Appendix B leads to the ILM sensor 
requirements. Information requirements arise from the need to 
detect and discriminate among possible failures; and display re- 
quirements arise from the need to provide the pilot with an adequate 
means of executing a "safe" recovery. 
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Sensor errors affect the state being measured in an RSS (root- 
sum-square) sense. To ensure that the contribution of sensor error 
statistics is negligible to the required false alarm (q) and missed 
alarm (?) rates, the sensor measurement error standard deviation 
(a) is specified to be one-third of the nominal standard deviation 
of a particular state, due to environmental disturbances (note that 
30 for a univariate random variable is approximately 0.997). Thus, 
using Tables 24 and 26, a set of ILM information and display require- 
ments can be derived, as in Table 29. Since extensive sensitivity 
studies were not conducted in this study, these requirements are 
of a preliminary nature. 

The fault recovery portion of the results presented in this 
section have' been derived from a linearized aircraft model about a 
particular nominal condition together with an optimal control pilot 
model with a hypothetical set of numerical parameters. Additional 


TABLE 29: PRELIMINARY ILM INFORMATION AND DISPLAY REQUIREMENTS 

FOR STRATEGY A 



ACCURACY REQUIREMENTS (lo) 


STATE 

INFORMATION 

(DETECTION/ 

DISCRIMINATION) 

DISPLAY 

(RECOVERY) 

COMMENTS 

Lateral 
L (Displacement) 

0.82 m (2.5ft) 

1.5 m (5 ft) 

L = y 

ij, (Heading) 

0.1° 

1° 


♦ (Roll) 

0.1* 

1° 


a (Sideslip) 

0.1" 

1° 


Longitudinal 
e (Pitch) 

0.21* 

1° 


u (Airspeed) 

0.7 m/ s 
(0.5 ft/sec) 

0.52 m/s 
(1.7 ft/sec) 

li is proportional 
to X 

a (Angle-o£-At tack) 

0.21* 

1° 


h (Altitude) 

0.3 m (1 ft) 

0.3 m (1 ft) 

h = z 

R (Slant Range) 
8 

0.66 m 
(2.1 ft) 

1.5 m 
(5 ft) 
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work remains to be performed to study the sensitivity of recovery 
time curves to variations in aircraft and pilot model parameters. 
Nonetheless, the results presented are representative of the pro- 
cess of fault detection and subsequent fault recovery. 


ILM Usage Strategy 

The basic computations of the total time constraints, critical 
altitude, and decision altitude can be translated into definitive 
strategies for operational usage of the Independent Landing Monitor. 
The four elements that must be considered in categorizing the type 
of usage are the navigation aid error characteristics of the run- 
way, the landing accuracy performance requirements (i.e., touch- 
down dispersion manifold), the existing weather category, and the 
airborne autoland system configuration. Again, the type of usage 
ranges from a runway obstruction monitor/gross fault monitor to a 
system with "manual guidance to touchdown" capability. 

Seven principal configuration categories are noted in Table 
30. These categories address uses of an ILM in weather visibility 
ranging from Cat I to Cat Ilia. Cat 2% is used to designate 
visibility conditions midway between Cat II and Cat Ilia. 


These configurations have been arranged in the order of de- 
creasing system performance capability and, therefore, cost. Con- 
figuration 1 represents the highest performance available from the 
navaid characteristics, landing accuracy required, and avionics 
reliability. Here, the principal usage of the ILM is to serve as 
a ground obstruction monitor and confidence builder. Thus, this 
function must be evaluated further by cockpit simulation or flight 
test . 


In Configuration 2, the autoland equipment quality is down- 
graded by using less expensive but poorer quality components 
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TABLE 30. -CANDIDATE APPLICATIONS FOR AN ILM 


CONFIGU- 

URATION 

NAVA ID 

CHARACTERISTICS 

LANDING 

ACCURACY 

PERFORMANCE 

WORST 

WEATHER 

(ACTUAL) 

AIRRORNE 

SYSTEM 

CONFIGURATION 

ILM USAGE 

1 

Category III 

• 

Category III 

Category 
Ilia 
(See To 
Rollout) 

Fail Operative 

Ground Obstruction 
Monitor; Confidence 
Bui Ider 

2 

Category III 

Category III 

' 

Category 
Ilia { 

Fail Operative 
(Downgrade 
Equipment 
Quality) 

Detect Out of '^Design 
Envelope’' Conditions 
and Faults; Use Ap- 
propriate Strategy 
(Table 30) 

3 

Category III 

Category III 

Category 

Ilia 

Fail Passive 

M tf 1 

4 

Category III 

Category II 

Category 
2 1/2 
Decision 
Height 'V' 
50 Feet) 

Fail Passive 

i 

fr It 

1 

5 

Category II 

Category II 

Category 
2 1/2 

Fail Passive 

Reduce Decision Height 
to. 50 Feet (Category 
2 1/2) ; Go-Around If 
Fault Detected 

6 

Category III 

Category II 

Category 
2 1/2 

Simple Moni- 
toring 

Reduce Decision Height; 
Go-Around If Fault 
Detected. 

7 

Category I/II 

Category I/II 

Category 

II 

Simple Moni- 
toring 

Go-Around If Fault 
Detected; Applicable 
To General Aviation 




resulting in a higher equipment failure rate. Here, the ILM is 
used to ’’catch” the resulting higher rate of system failures. The 
intent would be that a lower overall system cost would result. 

This corresponds to designing a new aircraft configuration with 
less expensive primary avionics and an ILM effectively to buy 
back the loss of reliability. 

Configuration 3 applies to fail-passive avionics configura- 
tions. Here, the objective of using the ILM is to upgrade safety 
to the point where the fail-passive system could be used for Cat 
Ilia operations. 

Configurations 4, 5, and 6 illustrate the attempt to operate 
in poorer weather conditions than Category II but be.tter than 
Category Ilia. This is economically attractive because such a 
weather condition is far more frequent than Category Ilia type 
weather. Thus, potentially, at a small equipment cost increase, 
a substantial operational gain can be made using an ILM. Condi- 
tion 4 addresses lowering the decision height below the Cat II 
requirement by use of the ILM. Condition 5 addresses the same 
situation, except that the navaid system is certified only for 
Cat II rather than Cat III. Condition 6 is the same as Condition 
5 except the autoland system is not fail-passive (i.e., the auto- 
matic disconnect feature is absent). Thus, it places the most 
stringent requirements on the ILM. • 

Configuration 7 applies to general aviation aircraft. Here, 
the intent is to lower the operational ceiling of the simple avi- 
onics system. Note that for Conf igurations 5, 6, and 7, the ILM is 
mainly used as a go around prompter. The configurations labeled 
3, 4 and 5 are considered to be the most promising usage categories 
based on the projected numbers of aircraft and economic-operational 
benefit. 
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To specify clearly the operational strategy to be executed 
for each of these configurations, one needs to consider the type 
of fault that occurs and the height at fault detection. Table 31 
presents the pilot/crew strategy for Configurations 2-7 in Table 
30. Based on the fault type and detection height, this table 

TABLE 31.- PILOT/CREW STRATEGY FOR EACH CONFIGURATION (POST FAULT 

DETECTION) 


CONFIG- 

URATION 

HEIGHT AT 
FAULT 
DETECTION 

FAULT/ FAILURE 

1 LM 

ANNUNCIATOR 

PILOT ACTION 

2,3 

h > DA 

1. IViml Outs i do licsign 
f.nvc I opo 

Abort 

Initiate Aut omn 1 i c/ I nstrument Go- 
Aroimd at h = IL\ 

2 . Autul;md nr MI.S l ;iuj r 
l.t'udiiig to L.'uuiing 
Accuracy Performance 
Degradation (Down to 
Category II) 

I'aiiT i on 

Continue Autolatid Approach Until 
ILA; he i’rcparcd for Go -Around 

Exercise Instrument Landing With 
ILM Guidance or 

Automatic/Instrument Go-Around 

3. Unacceptable Autoland/ 
MLS Fault (Hard) 

Abort 

CA < h < DA 
CA 6 m 

C.'i'so (1), (2), (3) 

Abort 

Automat i c/Inst rumen t Go-Around 

*0 < h < CA 

Case (1), (2), (3) 

Landing 

Automat ic/Tnstrument Land; Be Prepared 
To Initiate Emergency Landing Procedure 

4,5,6 

h > DA 

DA 16m 

(^Category 
2-1/2} 

1. Wind Outside Design 
Envelope 

Abort 

Automatic/Instrument Go-Around 

2. Auto land or MLS Fault 
Leading to I.amling 
Accuracy Performance 
Degradation (Down to 
Category I) 

Caut ion 

Cejntinue Auto land/ Ins t rument Approach 
Until DA; Establish Visual Contact 
to Land, Otherwise Go-Around 

3. Unacceptable Autoland/ 
MLS Fault* (Hard) 

Abort 

I LM/ Instrument Guidance to DA; Estab- 
lish Visual Contact and Land Manually; 
Other\%'ise Go-Around 

CA < h < DA 
CA 6m 

Case (1), (2), (3) 

Abort 

Automat ic/Tnstrument Go-Around 

^0 < h < CA 

Case (1). (2). (3) 

Landing 

Autoraatic/Instrument Land, Be Prepared 
To Initiate Emergency Landing Procedure 

7 

h > DA 
DA 60m 

h < DA 

Fault Detected 

Abort 

Instrument Go-Around 

Establish Visual Contact at DA and 
Land Manually 


* 


See Table 31 for strategy modification based on aircraft attitude 
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specifies the required ILM annunciator display message and the 
corresponding pilot/crew strategy recommendation. The strategies 
are partitioned into three subgroups based on the system configur- 
ation, defined in Table 30. For each of these subgroups, the 
strategy is controlled by the altitude at which the fault occurs, 
as compared to the critical altitude (CA) and decision altitude 
(DA). Thus, three ranges of altitude h exist, namely: (1) h > DA, 

(2) DA>h>CA, and (3) CA>h>0. Corresponding to each of these 
altitude zones, three main classes of faults can occur, namely: 

(1) wind outside design envelope, (2) autoland or MLS fault lead- 
ing to landing accuracy performance degradation (down to Cat II), 
and (3) unacceptable autoland or MLS fault (hard failure). The 
corresponding pilot action is documented in the last column. 

When the wind exceeds the design conditions above DA, 
the control remains automatic until DA is reached. If this wind 
condition has not subsided by the time DA is reached, an automatic 
instrument go-around is initiated. If the failure is soft, lead- 
ing mainly to performance degradation, then the automatic approach 
is continued until DA with the proviso that if the nature of the 
fault becomes more severe, a go-around must be executed. If the 
nature of the fault remains the same, enough monitoring capability 
must be provided to the pilot to assure him that the automatic 
landing can be safely continued. If an unacceptable fault is de- 
tected for h > DA, then a manual takeover is required. Whether a 
go-around or a manual landing is executed depends on the guidance 
capabilities of the ILM system. 

The principal difference between the strategy for Configura- 
tions 2 and 3, described above, from that for 4, 5, and 6 is that 
better visibility exists for the latter. Thus, post-fault manual 
landings are attempted only after establishing visual contact with 
the runway above DA for Configurations 4, 5, and 6. In all cases, 
for altitudes below DA but above the critical altitude (CA) , the 
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automatic landing is aborted and a manual go-around is initiated 
in case o£ detected fault. 

For altitudes below the CA, further strategy modifications 
based on aircraft altitude are possible. Essentially, these 
amount to recommending that in the event of a pitch up situation 
due to a fault, it is better to execute a go-around rather than a 
landing, for the longitudinal axis. And if the roll attitude or 
roll rate due to a fault increases the lateral deviation , then 
the proper pilot action is go-around rather than land. This type 
of strategy refinement for low altitudes is documented in Table 32. 
The Boeing 737 attitude limits at touchdown, for a 3 m/s (10 f/s) 
sink rate are presented in Fig. 25. These attitude constraints 
can be extrapolated to slightly higher altitudes to define recom- 
mended pilot/crew actions based on aircraft attitude at fault 
detection. In this manner, the pilot/crew strategy at the higher 
altitude can be blended with those at lower altitudes. 


Proposed Display Configurations 

The candidate ILM display configurations fall into two cate- 
gories- - automatic fault monitoring/warning and manual guidance. 

When the primary ILM mode is automatic warning and the secondary 
mode is pilot display, the monitor warns the pilot when the air- 
craft exceeds predetermined flight envelope limits. The secondary 
mode pilot display provides guidance under two conditions: (1) from 

failure warning point down to DA, and (2) from any warning point 
to a safe go-around flight path. 

On the other hand, if the primary ILM mode is to serve as a 
pilot display for manual guidance, then it provides the pilot with 
a visual picture of where the aircraft is within the safe flight 
envelope. It also provides a "continue to DA" or go-around flight 
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TABLE 32. -STRATEGY REFINEMENT FOR ALTITUDES BELOW 
THE CRITICAL ALTITUDE 


AXIS 

CONDITION 

PILOT ACTION 

Longitudinal 


Go -Around ) 


5 < e < 

Land 

Lateral 

If ^ 

Go -Around 


ti < 

Go -Around 


L > L 

Go-ARound 


max 



Notation: 6 

e 

<t> 

$ 

L 


Pitch angle 
Pitch rate 
Roll angle 
Roll rate 

Lateral displacement o£ centerline 



FIGURE 25. -TOUCHDOWN ATTITUDE LIMITS FOR THE BOEING 737-100 
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path guidance on command. The secondary automatic warning mode 
of the ILM, in this case, provides a backup warning if the pilot 
ignores the primary display mode. 

The ILM system output in its simplest format would be a status 
panel- type display depicted in Fig. 26. Each of the status panel 
symbols correspond to those noted in Table 31, discussed in the 
previous section. The caution signal would typically be a flashing 
amber light cancelable by the pilot. The controlling logic would 
reinitiate the alarm if the hazard still existed after, say, three 
seconds. The other symbols in the panel would be flashing or 
steady red lights, cancelable only on executing the appropriate 
pilot/crew strategy described in Table 31. These basic visual 
signals could be augmented by the proper auditory (e.g., buzzer, 
synthetic voice) alarms. 


An appropriate guidance mode display is illustrated in Figure 
27. This display format is similar in configuration to current 
guidance/flight director displays except that an elliptic boundary 
representing the ILM safe manifold is added. This display would 
function as a continuous monitoring aid to the pilot during auto- 
matic landing. Go-around prompting and guidance are provided when 
a fault is detected. A fault is visually detected when the air- 
craft symbol falls outside the safe manifold ellipse. 


CAUTION 

WIND 

MLS 

ILM 

AUTOPILOT 

ABORT 

LAND 


FIGURE 26. -STATUS-MONITOR PANEL IN ILM DISPLAY OPTION 
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ILM Flag 



FIGURE 27a. -PILOT DISPLAY MODE - CRT DISPLAY (MONITOR/ 
GO -AROUND PROMPTER) -- AT INSTANT OF GO- 
AROUND INITIATION 


ILM Flag 



FIGURE 27b.- PILOT DISPLAY MODE - CRT DISPLAY (MONITOR/ 
GO-AROUND PROMPTER) - -AT INSTANT OF GO- 
AROUND RECOVERY COMPLETION 
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Figure 27a shows the displayed situation at the time instant 
when the go-around is initiated due to the aircraft symbol falling 
outside the ILM "safe" manifold. A go-around flag is displayed at 
the top center of the display, and a flight path vector leading to 
safe recovery is indicated. The changes in symbology that occur 
at the time instant the go-around recovery is completed are shown 
in Figure 27b. Note that the ILM "safe" manifold is centered and a 
positive climb rate has been established. 

For autoland equipped aircraft with landing guidance provided 
by the ILM, the display would incorporate a runway symbol to aid 
the pilot in assessing his relative position prior to decision 
height; a display of this type is presented in Figure 28. At the 
lower edge of the display, the ILM derived smoothed runway refer- 
ence heading is displayed. On the left edge, the smoothed flight 



FIGURE 28.- CANDIDATE LANDING DISPLAY FORMAT FOR ILM 
SYSTEM (AUTOLAND NORMAL) 
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path angle is displayed. The heading and flight path angle infor- 
mation are supplemented by a flight path vector and aim point dis- 
play superimposed on the runway symbol, during the last 300 m 
CIOOO ft) of altitude. At 300 m altitude, the ILM messages at the 
upper-middle portion of the display are activated. 


The central portion of the display in Figure 28 contains a 
specific message such as "go-around" or "land." The objective of 
this message field is to integrate the status type information 
regarding faults detected and the corresponding pilot decision into 
a single CRT type display. On the left of the message field, the 
time to critical altitude (TCA) and time to decision altitude (TDA) 
are displayed. On the right side of the field, the difference be- 
tween current altitude and critical altitude (ACA) , and current 
altitude and decision altitude (ADA) are displayed. These four 
numbers provide the pilot with continuous information on the emer- 
gency alternatives available to him (if a fault were to occur) and 
the criticality of a fault. For example, an autoland failure above 
decision altitude would allow him to take over and land safely, 
whereas such a failure below decision altitude would require the 
pilot to execute a go-around. An additional quantity displayed 
to the pilot is the time to touchdown (TTD) ; this becomes the key 
parameter of interest below critical altitude. 

Additional parameters to be displayed would include; (1) com- 
mand pitch, roll, and speed bars, and (2) estimated wind and tur- 
bulence level. The final design format for displays to execute 
manual landings to touchdown under low visibility conditions must 
await a substantial cockpit simulation effort backed by computer 
analysis . 

For the aircraft not equipped with automatic landing capabil- 
ity, the ILM serves as an autopilot monitor. The display symbology 
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is similar to that for autoland aircraft. The differences are a 
direct result of differing usage strategies. The main objective 
of an ILM in this case is to: (1) provide visual guidance down to 
DA, and (2) command a go-around in case of equipment failure or 
severe winds. The display format in Fig. 29a depicts the situation 
when the aircraft is at the caution limits and manual takeover pro- 
cedures must be initiated. Figure 29b presents the situation where 
the "caution" flag has been changed to "proceed to DA" requiring a 
manual takeover and ILM guidance to decision altitude; visual con- 
tact with the runway is to be established at that point before 
proceeding any further. The third situation shown in Fig. 29c 
indicates where the aircraft has deviated off the nominal by a 
significant amount and, consequently, the ILM message recommends 
a "go-around" rather than a "proceed to DA." Note that the "TDA" 
and "ADA" numeric message are no longer valid and are electronical- 
ly removed from the electronic CRT display. 


ILM Flag 



FIGURE 29a.- GUIDANCE MODES FOR NONAUTOLAND AIRCRAFT-- 
AT CAUTION LIMITS 
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ILM Flag 



FIGURE 29b.- GUIDANCE MODES FOR NONAUTOLAND AIRCRAFT- -PROCEED 
TO D.A. MANUALLY 


ILM Flag 



FIGURE 29c.- GUIDANCE MODES FOR NONAUTOLAND AIRCRAFT- -EXCEEDING 
LANDING LIMITS, MANUAL GO- AROUND MODE 
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System Hardware Implementation 

Based on the material presented in the preceding sections of 
this report, an ILM hardware implementation is proposed. It consists 
of sensors for attitude and position with respect to the runway, a 
computer for implementing fault detection-discrimination algorithms 
and generating display information, and the displays for presenting 
the recommended pilot-crew action and fault category. 

.A schematic block diagram of the ILM computer with the associ- 
ated input and output is shown in Figure 30. This figure indicates 
the ILM sensor inputs; these include independent position and atti- 
tude sensors. 


Potential independent position sensors include: (1) precision 

approach radar, (2) trilateration transponders, and (3) redundant 
MLS. Attitude sensors recommended include redundant gyros to ob- 
tain roll ((|)) , pitch (0) and heading (i|;) angles. Additional vane 
type or multiorifice head sensors are recommended for measuring 
angle-of-attack (a) and angle of sideslip (3) . The state manifold 



FIGURE 30. -SCHEMATIC BLOCK DIAGRAM OF AN ILM COMPUTER CONFIGURATION 
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generator computes the nominal roll , pitch (9j^) and heading 

angle values for comparison with the measured attitudes. 

The figure also shows the interconnections with the primary 
autoland and MLS systems and their sensors. In a practical imple- 
mentation, a special effort must be made to minimize this inter- 
face. On the right side of the figure, the output to the display 
and mode selector panel is shown. The mode selection feature is 
included to allow the crew the ability to select the phase of 
flight and the guidance or monitoring mode described in the pre- 
vious section on displays. 

A considerable amount of further work remains to be performed 
(via analysis and cockpit simulation) before the ILM hardware con- 
figuration can be detailed. Specific items include finalization 
of intended uses for the ILM, establishment of fault detection 
algorithm details, establishment of ILM sensor configuration and 
accuracy requirements, refinement of display formats, development 
of ILM computer algorithms and logic requirements, and selection 
of computer, display, and interface requirements. 
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VII . 


SUMMARY, CONCLUSIONS, AND RECOMMENDATIONS 


This effort has developed a systematic procedure which can be 
used to obtain specific information and display requirements for an 
Independent Landing Monitor. Numerical values and linearized sys- 
tem models were used throughout the study to test this procedure 
and to yield approximations to the ILM requirements for the Boeing 
737 TCV aircraft. 


The study had multiple objectives; briefly, these were: 


1. Define the possible uses for the ILM and determine how 
these uses could be justified. 

2. Establish the information processing requirements for the 
ILM that will support these uses. This included detec- 
tion of faults in the MLS and autoland systems and out-of- 
tolerance wind conditions. 

3. Determine typical time elapsed between fault occurence, 
fault detection, and fault recovery. The associated per- 
turbation to the nominal flight path due to the fault was 
to be computed. Crew action included the manual takeover 
for both go- around and landing. 

4. Based on the timing requirements, devise ILM strategies 
to govern what crew action is appropriate as a function 
of altitude and aircraft attitude. 

5. Devise display formats that provide the crew with neces- 
sary information to monitor the automatic landing, deter- 
mine that a fault has occurred, and guide the subsequent 
manual control of the aircraft. 

6. Describe further analysis and testing required to realize 
the implementation of the ILM. 

Because there are multiple, complex facets of the analysis of the 
ILM, this limited study concentrated on the final landing portion 
of the flight sequence. ILM uses for approach, rollout, and take- 
off monitoring and guidance were briefly discussed but not analyzed. 
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Summary and Conclusions 


The use o£ the ILM studied in this investigation was to serve 
as a backup fault monitor and to provide guidance for manual fault 
recovery. The types of information that are derived by the ILM for 
such applications include: (a) the status of aircraft states, (b) the 
presence of a fault, (c) the type of fault, (d) what recovery strat- 
egy should be followed, and (e) pilot/crew guidance information to 
realize the recovery strategy. The manner in which this information 
is presented to the pilot and crew constitutes the display require- 
ments . 


The development of the information and display requirements 
involved a five-step iterative process. The steps were: 


1. Determination of the ILM system performance requirements 
to meet fixed safety constraints. ILM performance is 
measured in terms of ILM hardware reliability, false alarm 
rate, and undetected failure rate. 

2. Determination of time- to-detect specific fault situations 
with the ILM system performance (determined in the first 
step) fixed. This necessitated the postulation of fault 
detection algorithms and their subsequent simulation. 

3. Determination of the time- to-correct the state error fol- 
lowing the detection of the fault. The state error mag- 
nitude at the time of fault detection was dependent upon 
the required time for detection and the error growth rate 
due to the fault. 

4. Specification of crew procedures following fault detection. 
These procedures were dependent upon the time availability 
for recovery in terms of remaining altitude and the prevail- 
ing conditions of the avionics, navigation aids, and envi- 
ronment (wind, visibility) . 

5. Recommendation of display formats that would provide neces- 
sary information to the crew to implement the previously 
specified procedures. 

These steps are now srunmarized in more detail. 
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The ILM potentially has three general benefits -- improving the 
level of safety of an existing flight system, providing the means of 
lowering the landing minimums while maintaining a given level of 
safety, and providing the means of lowering the redundancy require- 
ments (and thereby initial investment and maintenance costs) of the 
autoland system while still maintaining a given overall safety 
level. Thus, safety is an important criterion in the ILM design, 
and it is used in the study to specify hardware and software re- 
quirements for the ILM. 

The system safety analysis required the determination of 
contribution of each flight subsystem to the total system probabil- 
ity of catastrophic failure. The introduction of an ILM to compli- 
ment a given autoland system must provide an improved level of 
safety based on the present standards for automatic landing systems. 
The analysis showed that for typical failure rates of existing 
equipment, the ILM could improve performance if a voting strategy 
was used where the ILM monitor had to agree with existing autoland 
or MLS monitors before corrective action was taken. 

The Safety budget analysis led to the specification of typical 
performance requirements for the ILM system. A landing phase (total 
exposure period) of ,250 seconds was assumed, and the autoland/MLS 
equipment failure rate (Pgp) was assumed to be 10 (MTBF of 700 

hours). The autoland/MLS hardware monitor false alarm rates (nui- 
sance disconnects) and missed alarm rates (undetected failures) 
were assumed to be lO’^. The resultant ILM system performance re- 
quirements are as given in Table 33. These numbers produce an 
overall catastrophic accident rate of 10 Typical values are 

given for the ILM hardware failure rate (Pjlm^ ’ false alarm rate 
(PpAi) > missed alarm rate CPmai^ ’ go-around accident rate (Pq^^j) » 
and manual landing accident rate (Pj^lj) • These values are highly 
dependent on the asSiimed performance of the system without the ILM. 
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TABLE 33. -SAFETY BUDGET ANALYSIS REQUIREMENTS 
ON ILM SYSTEM PERFORMANCE 


PROBABILITY QUANTITY 

NUMERICAL VALUE 

Autoland/MLS Equipment Failure Rate 
(MTBF 700 Hours) ; (Pgp) 

10"^ 

ILM Hardware Failure Rate 

1 

o 

I— 1 

ILM False Alarm Rate 

1 

o 

1—1 

ILM Missed Alarm Rate (Pj^j^j) 

10'^ 

Go-Around Accident Rate with ILM (Pq^^j) 

o 

1 

Manual Landing Accident Rate With 

ILM 

10-4 


The ILM false alarm and missed alarm requirements serve as con- 
straints in designing the fault detection software. Specifically, 
these two numbers determine what threshold settings should be plac- 
ed on the input measurements monitored and how many sequential sam- 
ples of measurement data are necessary to determine that a fault 
has occurred. Conversely, for a fault to be detected in, say, two 
seconds, the false alarm and missed alarm constraints determine 
how much larger the state error due to the fault must be than the 
normal noise threshold of the measurement quantity. This governs 
the requirement placed on the ILM input measurement accuracy. 


2 

Two fault detection schemes, the t test and the y test, were 
formulated for detecting abnormal changes in a measurement input’s 
mean and variance, respectively. These schemes were tested by simu- 
lation to confirm that the false and missed alarm requirements were 
being met and that the time- to-detect matched analytical predictions. 
Additional schemes were suggested but not tested for discriminating 
the type of failure that did occur (e.g., autoland, MLS, wind gust). 
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The type of fault, the resultant rate of state error buildup, 
and the time- to-detect this fault determine how large the state error 
is at the time of fault recovery. Thus, the time- to-recover from 
a fault is dependent upon the time-to-detect . The time- to-recover is 
also dependent upon what action the pilot takes for the recovery. 

For the go-around, the action is first to stabilize the aircraft and 
then to execute the climb-out procedure. For manual landing, the 
aircraft is first stabilized, the desired glide slope is next captured, 
and finally this glide slope must be tracked. 


To determine time- to- recover , a linear model was developed 
of the aircraft/display/pilot system. The different phases of the 
recovery required developing correspondingly different models of 
the pilot’s action for each of these phases. The effect of ILM 
display errors were also included in the model. The pilot models 
were developed using the optimal control model procedure and limited 
available pilot performance data. 

The linear system model was used to develop a covariance propa- 
gation procedure for assessing time- to- recover . Time- to- recover 
was defined as the length of time required to bring the aircraft 
error covariance inside of that which would normally exist due to 
normal gust conditions and navigation errors. This response time 
is highly dependent on the pilot performance model and what consti- 
tues "safe’’ recovery. Thus, the quantitative results of this study 
are only examples and must be substantiated by further cockpit 
simulator tests. 

The accuracy requirements on specific states which are first 
used as inputs to the ILM and then are displayed to the crew for ILM 
Strategy A were obtained and are tabulated in Table 34. Essentially 
the ILM state input accuracy requirements are those dictated by the 
fault detection and discrimination system. The display parameter 
requirements are dictated by the recovery guidance needs during go- 
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TABLE 34.- PRELIMINARY ILM STATE INPUT AND DISPLAY REQUIREMENTS FOR 

STRATEGY A 



ACCURACY REQUIREMENTS (la) 


STATE 

STATE INPUT 
(DETECTION/ 
DISCRIMINATION) 

DISPLAY 

(RECOVERY) 

COMMENTS 

Lateral 
L (Displacement) 

0.82 m (2.5ft) 

1.5 m (5 ft) 

L = y 

(Heading) 

0.1“ 

1® 


(J) (Roll) 

0.1® 

1® 


Qj (Angle of 

0. 1® 

1® 


Sideslip) 




Longitudinal 
e (Pitch) 

0.21° 

1° 


u (Airspeed) 

0.7 m/s 

0.52 m/s 

u is proportional 


(0.5 ft/sec) 

(1.7 ft/sec) 

to X 

Ot (Angle-of-Attacli 

0.21® 

1° 


h (Altitude) 

0.3 m (1 £t) 

0.3 m (1 ft) 

h = z 

R (Slant Range) 

0.66 m 

1.5 m 


s 

(2.1 ft) 

(5 ft) 



around and manual landing. Because extensive sensitivity studies 
were not conducted to study the effect of key parameters, these 
accuracy requirements must be treated as preliminary. 


The time- to-detect and time- to-correct results were summed to 
yield total time for detection and correction as a function of 
state error magnitude. This was done for both lateral and longi- 
tudinal modes and both go-around and landing. These timing require 
ments were then converted to envelopes about the nominal approach 
trajectory. Constraints such as obstacle clearance, stall angle, 
and roll angle limits were imposed on these results. Thus, these 
envelopes defined altitudes above which it was safe to attempt a 
manual landing and safe to attempt a manual go-around. Two alti- 
tudes -- decision altitude (DA) and critical altitude (CA) -- were 
then defined which aided in the subsequent crew procedure definition 
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The pilot decision strategy was then developed to correspond 
to the flight path envelope constraints, determined by the fault 
detection and recovery analysis. Three different variations of 
this strategy for Category II and IIIA weather, are summarized in 
Table 35. 


Two different display concepts were developed to provide neces- 
sary monitoring and guidance information to the crew to allow mech- 
anization of the ILM concepts developed in this study. Crew pro- 
cedures are defined for using both displays. One display system 
consists of a set of panel warning lights shown in Figure 31, 
which would indicate which subsystem has failed, and what action is 
recommended to the crew. For this system, guidance would be provid- 
ed by other cockpit instruments. The other display system proposed 
consists of a CRT-type display presented in Figure 32, showing the 
aircraft’s attitude and position with respect to the nominal trajec- 
tory. A closing ellipse on the display indicates the boundaries of 
the safety envelope developed by the fault detection and recovery 
analysis. Additional features incorporated into the display include 
numeric data on the difference between the current altitude and the 
decision and critical altitudes (i-e., ADA, ACA) , respectively; 
the corresponding time to reach these altitude is also displayed 
(i.e., TDA, TCA) . These features enable the pilot/crew to be ap- 
praised of the recovery decision options that are open (i.e., go- 
around, manual landing with ILM, manual landing under visual guid- 
ance, emergency landing) at any given time. This display would 
have enough additional information to allow complete manual guidance 
for go-around or continuation of the landing sequence. 


In summary, the. main emphasis of this study was to establish a 
fundamental methodology for the analysis of landing systems (auto- 
matic or manual). The principal benefit of this analytical proced- 
ure is in generating design guidelines for implementing airborne 
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TABLE 35. -EXAMPLE POST FAULT DETECTION PILOT DECISION STRATEGY 


WEATHER 

CATEGORY 

FAULT 

DETECTION 

ALTITUDE 

PILOT/CREW ACTION 

COMMENTS 

II 

(Visible 
Below DA) 

h > DA 

Proceed to DA Under 
Manual/ Instruments 

ILM Serves As 
Go -Around 
Prompter 


CA < 'h < DA 

Go -Around 



h< 'CA 

Emergency Landing 


IIIA 

h > CA 

Go -Around 

ILM Serves As 

Go-Around 

Prompter 


h < CA 

Land; Prepare For 
Emergency 


IIIA 

h > DA 

CA < h < DA 
h > CA 

Li 

Manual Takeover And 
Land With ILM 
Guidance 

Go -Around 

Emergency Landing 

ILM Provides 
Possible Guid- 
ance Capabil- 
ity To Touch- 
down In Category 
IIIA 


Critical Altitude (CA) - Altitude below which ^ fault can be 

recovered from within required levels 
of safety, for a go-around or a land- 
ing decision. 

Decision Altitude (DA) - Altitude below which n£ fault can be 

recovered from within required levels 
of safety, for a landing decision. 
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FIGURE 31. -STATUS-MONITOR PANEL IN ILM DISPLAY OPTION 



figure 32. -candidate LANDING DISPLAY FORMAT FOR ILM 
SYSTEM (AUTO LAND NORMAL) 
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systems that would be too dangerous and costly to be obtained from 
flight test directly. Moreover, it provides a basis for formulating 
simulator experiments in a cost-conscious manner. Specific analyti- 
cal results, of operational value, that can be obtained by applying 
this methodology include iiumerical values for landing minima and 
flight path deviation envelopes for a given aircraft/avionics con- 
figuration, ground-based navigation aid, and weather/visibility 
conditions. Furthermore, optimum (in a probabilistic sense) emer- 
gency recovery procedures can be derived as a useful byproduct of 
this methodology. 

The analytical approach developed was used to evaluate infor- 
mation and display requirements for an ILM. It is emphasized again 
that many simplifying assumptions were used in this study for quan- 
tifying both the aircraft and pilot behavior and for determining 
the ILM performance requirements. These assumptions were necessary 
so that the methodology could be demonstrated and because detailed 
models (with numerical values) of the Boeing 737 TCV system were 
unavailable. Consequently, more anlaytical results should be ob- 
tained to get sensitivity measures of key parameters to the informa- 
tion and display requirements. 


Recommendat ions 

Much additional work is required to reach a point where an 
ILM system based on the concepts of this study can be developed for 
flight testing. Seven specific study areas which require further 
work to enable designing and testing an ILM that meets broad usage 
requirements are; 

1. Pilot Reaction Time --The timing requirements and manual 
landing/go- around decision logic are based on models for 
the pilot as a controller and decision maker. In this 
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effort, pilot models were based on limited previous data. 

An analytical/experimental effort is required to develop 
and validate more accurate models of the pilot response 
in stabilizing the aircraft and recovering from a fault 
condition. Model parameters must be determined that are 
consistent with the dynamics of the 737 aircraft in ap- 
proach, landing, ground roll, and go-around. This model- 
ing study would require extensive use of a cockpit simu- 
lator. 

2. Ground Phase Analysis -- The current effort was mainly con- 
cerned with the landing phase (500 feet to touchdown) of 
flight. The ILM can also provide both lateral and longitu- 
dinal guidance during rollout and takeoff. Further analy- 
tical work is required to develop more detailed performance 
requirements of the system during this ground phase to 
supplement those developed in this study for the land- 
ing phase. 

3. Approach and Go-Around Phase Analysis -- The ILM can be 
used during the approach phase as a ground proximity warn- 
ing system and to detect general variations from the flight 
path. It can also be used as a backup guidance system dur- 
ing go-around. Similar to the ground phase, more analyti- 
cal work is. required to specify performance requirements 
for these phases. 

4. Fault Detection -- The current effort defined methods which 
can be used to detect faults of the MLS, autoland, or ILM 
systems. The effort was based upon assumed measurement 
system models. Additional effort is required to obtain more 
exact models of sensor and signal inputs, their errors 

and noise characteristics, and the resultant effect on 
the performance of the fault detection logic. These more 
detailed results are required for specifying sensor accur- 
acy requirements so that fault detection timing require- 
ments can be met. Also, more specific software require- 
ments must be determined. 

5. Display Format Experiments -- Both headup and headown dis- 
plays are being considered for the ILM. Further details 
as to the type and quantity of information displayed must 
be answered. A simulator experiment must be conducted to 
determine what the preferred format is with respect to 
pilot workload, pilot acceptability, and pilot performance 
in making decisions and controlling the aircraft. The 
required accuracy of the displayed elements must also be 
determined on an experimental basis. The fundamental ques- 
tion of whether the ILM can be used as a display for manual 
landing in Category III weather must be answered. 
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Timing Requirements -- The current effort required the 
assumption of preliminary pilot models and a linearized 
model of the 737. It also was assumed that the detection 
logic functions in a given time period. The completion 
of the effort described in Tasks (l)-(5) above would pro- 
vide more exact information on the overall requirements of 
the ILM. In addition, more exact nonlinear models of the 
737 aircraft are under development. More elaborate num- 
erical methods exist which can be used to determine the 
statistical distribution of aircraft path perturbations 
due to faults. These elements should be combined in a de- 
tailed simulation to obtain more precise timing require- 
ments for the ILM to detect faults in order to provide a 
specified level of safety. 


7. Integration of Sensor, Computer, and Display Requirements 
The sensor, system software, and display requirements will 
dictate what type of computer is required to implement the 
ILM. Before proceeding to build a prototype of the sys- • 
tern, a design study must be conducted to integrate the com 
ponents and to provide the final design specification. 


These seven tasks represent an integrated procedure which must 
be followed for development of an ILM that meets the wide range 
of potential users' requirements. These tasks are based on the 
systematic procedure developed in this study and other parallel 
work that has been accomplished. These steps serve to obtain more 
exact answers and to obtain quantitative and qualitative data that 
can only be produced by man-in-the-loop simulator studies. 

The ILM has a great potential for reducing aircraft operating 
costs by allowing increased operation in low visibility conditions. 
However, to realize this potential requires a vigorous research 
and development program with a full committment on the part of the 
government to obtaining required technical and operational infor- 
mation. Specifically, a systematic simulator validation program 
must be conducted to verify the various assumptions made during the 
course of this study. It is recommended that such action be taken 
based on the steps outlined above. 
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APPENDIX A 

SAFETY BUDGET ANALYSIS 
Introduction 

In Chapter III the system safety assessment was presented 
using an event outcome tree. This tree is illustrated in Figure 
33. The purpose of this appendix is to define in more methemati- 
cal detail the meaning of the various types of probabilities 
which are included and relate these to the exposition in Chapter 
III. These definitions are related to safety requirements of the 
ILM monitor system. 

The outcome tree relates only to the final portion of the 
landing approach. It is assumed that a critical altitude h* 
exists in the monitor logic. Above h*, the chances of a sue- 
cesful go-around maneuver following a fault are greater than 
the chances of a successful landing. Thus, if the fault is 
detected above h* , a go-around maneuver is always commanded 
(and assumed to be obeyed); this is illustrated in Figure 34, 
as pilot decision Strategy A. Another strategy alternative, 
designated as decision Strategy B, is illustrated in Figure 35. 
This is a viable strategy provided the weather conditions permit 
adequate visual contact to be established with the runway prior 
to reaching altitude h^. 

The next section defines the various probability terms. 

Then equations to compute the terms defined are presented. The 
incorporation of an independent landing monitor (ILM) , in addition 
to the existing primary autoland monitors, is discussed. Addi- 
tional definitions and equations are also presented. 
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FIGURE 34.- POST FAULT DETECTION PILOT DECISION 
STRATEGY CA) 



FIGURE 35.- POST FAULT DETECTION PILOT DECISION 
STRATEGY (B) 



Probability Definitions 


To understand the equations in this appendix, the following 
definitions are needed: 

hj = altitude indicated by monitor sensors 
* 

h = critical altitude 

hjj = altitude where fault is detected 

h£ = altitude where jth fault occurs 

Ahj = hj - hjj; error in indicated altitude 

Pfj^hfj) = probability density function that jth fault 
occurs at altitude hf^ 

PDj (^f j ■ “ conditional probability density function 

that detection of jth fault is detected 
at altitude h^ given that the jth fault 
occurs at altitude hf^ 

PjCAhj > h - hp) = probability that error Ahj is greater 

than h " 

Pj(Ahj) = probability density function of altitude error Ahj 

PEj^Chp) = probability density function that the kth fault is 
incorrectly identified at altitude h^ 

^Dk^^D^^fk^ ~ conditional probability density function that 

the kth fault is identified at altitude h^ 
given that this fault did not occur at altitude 

^fk 

P(f,n) (d,u) (p,a,v) (g,l) (j ,k) (c^lhp) = failure probability 

density function 

f = fault present in equipment 
n = no fault present in equipment 
d - primary monitor detected fault 
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u = primary monitor undetected fault 
p = piloted control (displays) 
a = automatic control 


V = piloted control (visual) 


g = go-around decision 

1 = landing decision 

j = index on type of fault (N total) 

k = index on type of false fault (N total) 

i = index on type of catastrophe (M total) 

Pf^pgj (c^ |hj^) = conditional probability density function 

that the ith catastrophe will occur during 
go-around due to the jth fault being 
detected at hj^ 


Pfdpij (Ci Iho) = conditional probability density function 

that the ith catastrophe will occur during 
landing due to the jth fault being detected 


^fual j I ^ 

^ndpgk ^^i I 
^ndplk ^^i I 


conditional probability density function 
that the ith catastrophe will occur during 
landing due to the jth fault occuring at 
h-£j and not being subsequently detected 

conditional probability density function 
that the ith catastrophe will occur during 
go-around due to the kth fault being in- 
correctly identified at altitude hj^ 

conditional probability density function 
that the ith catastrophe will occur during 
manual landing due to the kth fault being 
incorrectly identified at altitude h^^ 


Pnuai “ probability of fault-free performance catastrophe 
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Pfual 

Pfdpg 

Pfdpl 

Pndpg 

^ndpl 

^ndvl 

Pfdvl 

Pa 

PpAE 

Pef 

Pmae 

Pd 

H 

^2 

“l 

«2 

“3 


probability of undetected fault causing automatic 
landing catastrophe 

probability of detected fault causing manual go- 
around catastrophe 

probability of detected fault causing manual 
landing catastrophe 

probability of false fault causing manual go-around 
catastrophe 

probability of false fault causing manual landing 
catastrophe 

probability of false fault causing manual visual 
landing catastrophe 

probability of detected fault causing manual visual 
landing catastrophe 

altitude at which monitor becomes functional 

probability of catastrophic accident (total system) 

probability of false primary monitor alarm 

probability of equipment (airborne/ground) fault 

probability of missed monitor alarm due to primary 
monitor failure CPJ^jp) 

probability of fault detection 

A 

nominal flight duration from h to touchdown (TD) 

* 

nominal flight duration from h^ to h (critical 
altitude) 

landing decision exposure factor (Strategy A, B) 
go-around decision exposure factor (Strategy A, B) 
visual landing exposure factor (Strategy B only) 



Mathematical Definitions 


Detected Fault Causing Manual Go -Around Catastrophe 

* 


^fdpg 


N M . h ^ h„ * 

o o 


j=l i=l 

• Pp (hj. - hp|hj ) p^ (h^ )dhj dh 


3 3 3 3 3 3 

To compute probability of successful go-around, replace 


M 

ifi ‘’fdpgj‘'=iiV '•y 

Note that in Eq. (A.l) 

PjCAhj > h* - hp) = / 


M 


^ Pfdpgj V • 


* 

h -h 


Pj(Ahj) dhj 


Detected Fault Causing Manual Landing Catastrophe 

o h^ 


’fdpl 


N M 


j=l i=l 


r r D * 

J* J Pfdpljf^il^D^ ^ 


* 

h h 


Pq ^ C^£ “ ^-p ^ P-p C^-P ) dh^ dh 


D £ ^ ^£ f 


D 


3 3 

To compute the probability of a successful landing, replace 

M r M ^ 

Pfdplj ^ Pfdplj 


Probability of a Fault 

o 

IN f 

P 


IN r 

= g j Pf (hf ) dhf 

3=1 h„ *j 


CIO) 


(11) 

) 

( 12 ) 


( 13 ) 
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Undetected Fault Causing Landing Catastrophe 


N M 


fuel 


Z E / 1 - y Pd (hf - h Ihf ) dh 

j=l i=l L hf. j j j 


Pf/hf.) dhf 

■' J J J J 

To compute the probability of a successful landing, replace 
M (■ M ■ 


(14) 


Probability of a Missed Alarm 


"MAE 


N . o 

^ 7 

3 = 1 


= P - P 


1 - f pjj (h^ - hpjh^ ) dhjj 

3 3 3 


*f. 1 1 


P£ (h^ ) dh£ 

3 3 3 


(15) 


Probability of Detecting a Fault 


N r o r o 


Pp ^ I I Pp ^^f ” ^P I ^f ^Pf ^^f ^ ^^P 

j=l ^ ^ 


Nuisance Disconnect Causing Go -Around Failure 


(16) 


N M h 


“ndpg / Pndpgk*^^i Pj(Ahj > h - h^) 


“0 


(17) 


Here , 
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(18) 


r "d 

= \ PDk(^Dl\) 

o 

To compute the probability of a successful go-around, replace 

M r M 

Pndpgk^'^il^D^ ^ ^ndpgk^^i 

Nuisance Disconnect Causing Landing Failure 

N M o * 

^ndpl " vfi 1=1 Pndplk PjCAhj < h - hp) 

Kill ^ 

PPk^^D^ 

To compute the probability of a successful landing, replace 

M r M 

• Pndplk(<=ilV by 1 Pndplk^^ilV 


Probability of a False Monitor Alarm 
N . o 


FAE 


^ f Pp *^bp 
:=1 -^h ^k ^ ^ 


Computation of Critical Altitude (h ) 

When h 2; h , 

M r r h,, 

i=l \ 4 Pfdpgi^"i>V Pl("bj > h - hp) 


o o 


Pp (^£ ■ hp jh^ ) p£ (h^ ) dh£ *lhp 

j j 3 3 3 3 


(19) 


( 20 ) 
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( 21 ) 


- PjC^hj < h - hj,) 

o 
* 

Thus, when h > h , the correct decision is to go -around and for 
* ~ 

h < h it is to land manually. 

Exposure Factors for Strategy A 
^1 

“i ~ Irpr-T^ 

T2 (22) 

“2 ' ITj + T2) 

Exposure Factors for Strategy B 

“1 • ’■l/fTi * ♦ T3) 

“2 ■ * ^2 * ’■3) 

»3 - ^3/(^1 ■* h * 

Probability of Catastrophic Accidents for Design Strategy A 

■ ^EF^^^nual ^FAE^“l ^ndpl ■*■ “2 ^ndpg^ ^ 

^EF^^MAE ‘ ^fual ' ^MAE^ ^“l ^fdpl “2 ^fdpg^ ^ 

( 24 ) 
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I 


Probability of Catastrophic Accident for Decision Strategy B 


~ tl ■ ^EF^^^nual ^ ^ndpl * ^ndpg * ^3 ^ndvl 


)} 


^EF^^MAE'^fual * ' ^MAE^ ^fdpl “z ^fdpg 


“3 Pfdvl^^ 


(25) 

Independent Landing Monitor (ILM) . The incorporation of 
the ILM into an avionics system with a primary autoland capa- 
bility, introduces additional terms into the equations, presen- 
ted in the previous sections. The principal source of these 
terms is the additional flexibility in the decision making pro- 
cess related to the criterion for initiating a pilot takeover. 

The four options identified in Table 34 arise due to the po- 
tentially conflicting outputs of the primary (i.e,, autoland) 
and secondary (i.e., ILM) monitors. 

The equations presented in this section provide a rigorous 
basis for (a) justifying the incorporation of an ILM, (b) deter- 
mining the best takeover criterion, and (c) generating performance 
specifications for the fault detection system. 


Table 36. -POST FAULT DETECTION PILOT TAKEOVER CRITERION 
OPTIONS 


OPTION 

TAKEOVER INITIATION CRITERION 

1 

Primary monitors only (i.e. no ILM) 

2 

ILM or primary monitors 

3 

ILM only (i.e. ignore primary monitors) 

4 

ILM and primary monitors 
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Probability Definitions 

Additional probability terms, introduced by the incorporation 
of a secondary/ ILM monitor are defined in this section. 



P 

ELE 


P 

GAE 

P 

MLE 


ELI 

’gai 


MLE 


SAE 


^SAI 

p 

^SBE 


p 

SBI 


probability of false ILM alarm 

probability of missed ILM alarm due to ILM failure 
(Film) inherent missed alarm rate 

^MAS "" ^MAI ^ILM 

probability of emergency landing catastrophe with 
primary monitors 

probability of go -around catastrophe with primary 
monitors 

probability of manual visual landing catastrophe with 
primary monitors 

probability of emergency landing catastrophe with ILM 

probability of go-around catastrophe with ILM 

probability of manual landing catastrophe with ILM 

probability of catastrophe using Strategy A with 
primary monitors 

probability of catastrophe using Strategy A with ILM 

probability of catastrophe using Strategy B with 
primary monitors 

probability of catastrophe using Strategy B with ILM 


Mathematical Defintions 


Catastrophe Using Strategy A and Primary Monitors 
Defining Pgj^g = max (P^dpl’ ^fdpl^ ’ 


( 26 ) 
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(27) 


GAE 


^^ndpg' Pfdpg> 


^SAE " “l ^ELE * “2 ^GAE 
Catastrophe Using Strategy B and Primary Monitors 

Defining Pj^^E “ ^^ndvl> ^fdvl^ 

"® S®'*^ ^SBE ' “1 ^ELE * “2 ^GAE * “3 ^MLE 

Ca tastrophe Using Strategy A and ILM 


(28) 


(29) 

(30) 


Defining 

p 

*^ELI 

= ^Pndpl’ ‘’fdpl^I 

(31) 


^GAI 

max (Pndpg» ^fdpg^I 

(32) 

we get 

^SAI 

“1 ^ELI “2 ^GAI 

(33) 


where the subscript I denotes usage of an TLM. Note that the 
performance of the system can potentially be improved during 
emergency landing (EL) and go-around (GA) by using guidance 
commands supplied by the ILM. 


Catastrophe Using Strategy B and ILM 


Define 


^MLI " ^^ndvl’ ^fdvl^I 


(34) 


where subscript I denotes usage of an ILM. Note that in this 
case the ILM sensor must provide visibility enhancement. This 
gives the result 


SBI 


= “1 ^’eli ^ 


“2 ^GAI 


“3 ^MLI 


(35) 
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APPENDIX B 


COVARIANCE PROPAGATION ANALYSIS 

The assessment o£ post fault recovery performance is made by 
conducting a covariance propagation analysis. The objective of this 
appendix is to (1) describe the mathematical models used for the 
aircraft/display/pilot system, (2) present the covariance propagation 
equation, and (3) relate the time sequence of covariance matrices 
to the catastrophic failure probabilities defined in Appendix A. 

The closed loop pilot display aircraft block diagram is shown 
in Figure 36; the blocks in this figure are described in the follow- 
ing. 


Linearized Aircraft Model (B-737) 

Linearized longitudinal and lateral axis models of the Termin- 
ally Configured Vehicle (B-737) were developed to conduct the co- 
variance propagation analysis. The linearized aircraft equations 
are described by the vector differential equation, 

X = FX+ Gu + f363 

where x is the state vector, u is the control input vector, and 
w^ is the disturbance vector. It is assumed that w^ is a zero mean 
white noise source with 




(37) 


The longitudinal and lateral decoupled perturbation equations are 
numerically specified in Figures 37 and 38, respectively, for the 
flight condition. 
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I I 


FIGURE 36 . -MANUAL CONTROL SYSTEM BLOCK DIAGRAM 
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0 

0 
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0 

0 


a 

q 


- 0.00036 
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0.458 

0 

0 

• 

q 

h 


200 

8.2 

0 

0 

0 

0 


h 



0 
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0 

0 

0 

0 


R 

s 


r 

’ 0 

0 


0 

0 


0 

0.0017 




- 0.0464 

0.081 


- -| 

- 0.0393 

- 0.000166 ' 

• 


+ 

- 0.315 

- 0.587 

• 


- 1.01 

0.00572 




0.619 

- 0.103 



0 

0 




0 

0 


- - 

0 

0 


0 
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ug = gust component (longitudinal) 
Ug = gust component (angle-of- 

attack) 

q = pitch rate 
h = altitude 
Rg= slant range 


9 = pitch 

u = normalized velocity 
a = ancle-of-attack 


6e “ elevator 
6rp = thrust 


FIGURE 37.-LONGITUDINAL PERTURBATION EQUATIONS 
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(j) = roll angle 5a = aileron g = gust componenet (sideslip) 

ij; = yaw angle 6r = rudder 

3 = sideslip angle 
p = roll rate 
r = yaw rate 

L = Lateral Displacement 


FIGURE 38.- LATERAL PERTURBATION EQUATIONS 



Altitude 

Airspeed 

Weight 

Thrust 

Angle -o£- Attack 
Flight Path Angle 


30'5ro CIOOO ft) 

120 kts 

31,800 kg (70,000 lb) 
38,440 Nt (8654 lb) 
4.37° 

-3° 


For the longitudinal axis, the go-around maneuver was simulatd 
by open loop commands for the elevator and thrust inputs given by: 

6e(t) = 6eo + «e„^ax *^^'^0^ (38) 


where 

6 < 5^ = (maxiTTiuin elevator angle] 

e— ^max 


= Tnaximum elevator rate 

^max 


= elevator command at t * tQ 


and 


^Th ^ ^ ^ 


^Th max ^'^ThO 


1 “ t 

Th max-'e 


C39) 


where 


max = 62,150 Nt (14,000 lb) 

T = 1 S 

Thg = thrust command at t = tg 
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In addition, the angle -of^attack was constrained during the maneuver 
by appropriately limiting the thrust ^jjCt) and elevator 6g(t), so 
that 


a(t) < 


a. 


max 


C40D 


where 


max 


18° 


Display (Measurement) Equation 


The display system in Figure 36> represented by the equation, 


z = Hx + V 


(41) 


where the measurement matrix H is defined in Figure 39 for the 
longitudinal and lateral axis. The noise V, made up of measure- 
ment noise v^^ and display noise , is defined by 


V = Hv„ + V j 
m d 


(42) 


It is assumed that v is a zero mean, white noise source with 


E { vv } = R 


(43) 


Pilot Model 

A number of math models have been proposed to characterize the 
pilot in the glideslope and localizer tracking phase of the manual 
landing task. These models range from the frequency domain trans- 
fer function to the optimal control models. 
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FIGURE 39. -DISPLAY (MEASUREMENT) EQUATION 



An isomorphic form for the optimal control model was proposed 
by Kleinman [33], as shown in Figure 40. This model attempts to 
retain a one-to-one correspondance with hypothesized pilot acti- 
vity, in terms of an observation phase, information processing 
phase and a motor phase. From an input-output point of view, this 
model can be simplified to that in Figure 41. Although neither 
of these models has been fully validated, analysis to date indicates 
that the latter model, consisting of a Kalman estimator followed 
by an optimal controller is an adequate representation for current- 
ly available pilot data. 

To incorporate the motor noise term into the aircraft equations 
as in Figure 36, define 


= «opt ^ '"m 


(44) 


The aircraft equation is augmented so that 


X = Fx + ®^opt ^ 


(45) 


where 


r = 


d 

0 


0 

G 


(46) 


rw 


w = 


w. 


m 


(47) 


and 


Q = E { ww^} 


(48) 
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Motor Noise 


r.qual izat ion 


Observation 
Noi se 


FIGURE 40. -OPTIMAL CONTROL MODEL OF PILOT RESPONSE 
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Motor Noise 




Di splay /Per cent 1 on 
Error (Observation 
noise) 


FIGURE 41. -SIMPLIFIED PILOT MODEL 


Di splay 
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Referring to Figure 36, the objective of the pilot, during the 
tracking task is to keep deviations from the nominal path as small 
as possible, using the feedback control u(t). Note that the equa- 
tions C36) and (45) are linearized perturbation equations and do 
not include the nominal trajectory. Similarly the control input u(t) , 
only represents the corrective part of the control action and includ- 
es the open loop nominal commands. 

Thus, the objective of the pilot, as an optimal controller is 
to minimize a quadratic index of the form. 

J = 1/2/ (x^Ax + u"^Bu) dt (49) 

J 0 

For computational efficiency, if the steady state assumption is 
made (i.e., T ->■“>) , then the filter and controller gains are time 
invarient. But the filter representing the pilot is no longer 
optimal. Moreover the state estimate and state estimation errors 
are correlated. As a consequence the covariance propagation analy- 
sis, described in the next section, must be performed with the 

I T ^ 

augmented state vector { x | x} , where x is the state estimate of 
the "infinite time" version of the Kalman estimator. 

The numerical values of the weighting matrices A and B, and 
the process and measurement noise terms Q and R, are presented in 
Figure 42 


Covariance Propagation 

Based on the pilot-aircraft-display model described above, the 
objective of this section is to define the equations used to assess 
post fault detection recovery performance. 

The initial state covariance matrix P-'‘(0) represents the 
envelope of dispersions of the aircraft state x at the point 
of fault detection. The covariance propagation technique 
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LONGITUDINAL: 

A = diag 
B = diag 
Q = diag 
R = diag 


[33, 100, 33, 0, 0.01, 0.001] 
[130, 0.25] 

[0.01, 0.0025] 

[0.0003, 0.000068, 0.0003, 1, 


25] 


LATERAL : 

A = diag [33, 33, 33, 0, 0, lO'^] 

B = diag [13, 33] 

Q = lO'^*^ 

R = diag [0.00015, 0.00015, 0.00015, 12.5] 


FIGURE 42. -NUMERICAL VALUES FOR PILOT MODEL AND PROCESS -MEASUREMENT 
NOISE COVARIANCES 


is used to determine the manner in which the covariance matrix P* 
evolves from P*(0). This matrix finally reaches the steady state 
nominal value (due to external disturbances only) . 


To perform covariance propagation, define an augmented system 
vector differential equation of dimension 2n, 


• 


r . -1 i- n 


r 1 


X 


1 

1 

' 1 

1 

+ 

L_!_o_ 

w 

A 

X 


KH 1 F-GX-KH J [xj 


O 

V 


(50 ) 


Define 


and 


P* 





* I 
I 



* I 




2n X 2n 


F* 


F _ I j^G^ 

KH 1 K-GX-KH 


(51) 


(52) 
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Then the vector differential equation to propagate the initial 
covariance is, 


p* 


p*p* -I- p*p*T + 


rwr^i o__ 

0 I krk’^ 


(53) 


The initial covariance matrix 
detection, is 


P*(0) , at the point of fault 


P*(0) 


P*ll(0) I 0 

— -u— I 


C54) 


Thus, to evaluate fault recovery performance. Equation (53) is 
numerically integrated for the longitudinal and lateral represent- 
ations of the system. To determine whether the resulting time 
sequence of covariance matrices represent a "successful" post 
fault detection recovery, it is necessary to relate the covari- 
ance matrix to the probability of catastrophe, during a landing 
or go- around maneuver defined in Appendix A; this is discussed 
in the next section. 


Computation of Catastrophe Probability From The Covariance Matrix 

The system fault recovery performance is evaluated by start- 
ing with an initial covariance matrix (representing the state of 
the aircraft at fault detection, in a statistical sense). Then, 
by performing covariance propagation, the time sequence by which 
this initial covariance transitions to the nominal covariance 
matrix, (by the stable pilot/display/aircraft feedback control 
system) is obtained. This is graphically depicted for the land- 
ing /go- around task, for one of the system states (altitude), in 
Figures 43a and 43b, respectively. The following discussion relates 
the probability of catastrophe resulting from a go-around (Pq^^/ 


ISO 




FIGURE 43a. -MANUAL LANDING TASK FAULT RECOVERY 



Limit 

FIGURE 43b, -MANUAL GO-AROUND TASK FAULT RECOVERY 
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Pqai) and landing CP^le^^MLI^ ’ defined In Appendix A and used in 
Chapter III, to the covariance propagation computations. 

Let X be the random n-vector representing the system state 
whose components can take on a continuous set of values with the 
probability density function 

p(x) = ryi yTT [-1/2 (x-x)^P'^(x-x)] (55) 

where 


E(x) = X = mean value of state vector 


(56) 


and 

T 

E{(x-x) (x-x) }= P = covariance matrix of vector (57) 

It is of interest to determine the constant ' such that 
the probability that x lies outside the hyperellipsoid. 

(x-x)’^P'^(x-x)= (58) 

is less than the go-around (Pgae'^^GAI^ landing (Pmle'^PmlI^ 
catastrophe probability requirement. Then, an approximate method 
of ensuring that the hyperellipsoid defined by Equation (58) does 
not violate any of the state constraints (e.g., angle-of-attack , 
obstacle clearance, etc.)', is to check whether inequalities of the 
form, 




max’ 


i = 1, 


n. 


(59) 


where x. „ is the maximum allowable deviation in state i and 
~ 1 max 

is the i^j^ diagonal element of the covariance matrix. 

A more accurate method of ensuring constraint satisfaction is 
to define the constraint boundaries as another hyperellipsoid of 
the form. 
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(60) 


(x-x)^G(x-x) £ 

Then it can be shown that the necessary and sufficient condition 
for constraint satisfaction is the matrix. 



i.e., the matrix defined by Eq* (61) is positive semidef inite . For 
the purposes of the present study, inequalities of the form of 
Eq. (59) were checked. The evaluation of catastrophe probability 
as a function of n and Z was performed and is tabulated in Table 37. 
It can be seen that for a sixth order system to achieve a probabil- 
ity of catastrophic accident of about 10 ^ (e.g., required for go- 
around and landing in Appendix A) , the four sigma (4a) covariance 
dispersion boundary must be checked for constraint violation. The 
assumed aircraft recovery limits and the flare point window are 
presented in Table 36 . The recovery is considered to be ’*success- 
ful” if the recovery limits are not included and the ’*time- to-cor- 
rect” is that required to satisfy the flare point window constraints 
of Table 36 . 


Extension of the Covariance Propagation Technique 

The previous sections described the manner in which the covari- 
ance propagation technique, together with certain probability inte- 
grals, allow one to evaluate the system fault recovery performance. 
This methodology was applied to the specific numerical example docu- 
mented in Figures 37 and 38 > for the flight condition noted in the 
appendix, earlier. To perform the analysis more thoroughly, it is 
essential that the entire flight trajectory be considered. The con- 
ceptual framework by which this is accomplished is now discussed. 
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Consider a typical terminal area trajectory depicted in Fig- 
ure 44 (also described in Chapter II). The different flight phases 
during the traversal of this trajectory are partitioned in the 
figure and are labeled a, b, c, d, and e. When the aircraft is 
flying along this trajectory, using the primary autoland system, 
each of these phases can be mathematically characterized by a linear 
perturbation equation such as Eq. (36), with the feedback loop 
shown in Figure 36 being closed by the autoland system. Table 39 
shows the sequence of system matrices, together with the correspond- 
ing autoland estimator, controller and cost function. Similarly, 
Table 40 depicts the same sequence of matrices when the system is 
under manual control. 


TABLE 37. -CATASTROPHE PROBABILITIES AS A FUNCTION 
OF SYSTEM DIMENSIONALITY (n) AND MULTIPLE 
(£) OF STANDARD DEVIATION (a) 


X 

. 4 

5 

6 

7 

8 

(x lO'"^) 

(X 10'^) 

(X 10"^) 

(x 10‘^^) 

(X 10"^^) 

4 

0.3 

0.5 

0.3 

0.06 

0.001 

5 

0.68 

1.4 

1.0 

0.22 

0.01 

6 

1.3 

3.4 

2.8 

i 

0.75 

0.1 

7 

2.5 

7.6 

i 

7.3 

2.27 

0.2 

8 

4.2 

15.6 

1 17.6 

6.36 

0.8 
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TABLE 38. -ASSUMED AIRCRAFT RECOVERY LIMITS AND FLARE 
POINT WINDOW 



RECOVERY 

LIMITS 

FLARE POINT 

AXIS 

STATE 

MAX 

MIN 

WINDOW 

6, ° 

12 

- 12 

+ 0.5 

Longitudinal 

u, - 

0.15 

- 0.15 

IH9DE9IIHIi 


a, ° 

+ 22 

- 10 

+ 0.5 


m 

3 

- 3 

+ 0.05 


h, mC£t) 

305(100) 

- 30.5(-100) 

+ 1.5(+ 5) 


Rg,mC£t) 

915(3000) 

-610(-2000) 

+ 3. 05 (+10) 



10 

- 5 

+ 1 



5000 

-500 

+ 100 


4 >> “ 

15 

tmm 

+ 1 

Lateral 


15 

1 

- 15 



6. “ 

5 

- 5 

+ 1.5 


bbsb 

5 

- 5 

+ 0.5 


r, 7s 

5 

- 5 

+ 0.5 


L,m(ft) 

152(500) 

-152(-500) 

+ 6.1 (+20) 



























































/ 


FIGURE 44. -TYPICAL TERMINAL AREA TRAJECTORY 
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TABLE 39 . -MATHEMATICAL DESCRIPTION OF NOMINAL AUTOLAND (PRIMARY SYSTEM) 
FLIGHT PHASES 



SYSTEM 

AUTOLAND MODEL 

- - 

AUTOLAND 

COST 

j 

PHASE 

MATRICES 

ESTIMATOR 

CONTROLLER 

FUNCTION 

COMMENTS 1 

a 

^aa ’ *^aa 

^aa 

A 

aa 

^aa’®aa 

Approach flaps » gear 
do\irn, loose tracking 

b 

^ab’^ab 

^ab 

^ab 

^ab’^ab 

Curved, descending 

c 

^ac’^^ac 

^ac 

^ac 

■^ac.^ac 

6S = 5°, landing flaps, 
decelerating 

d 

^ad’^ad 

^ad 

^ad 

^ad’^ad 

GS = 2,8°, tight track- 
ing 

' e 

^ae’^ae 

^ae 

i 'ae 

1 

^ae’^ae 

Flare 


Nomenclature: 


^(alm|F) (a . , . e) 
First Subscript (a|m|F): 
Second Subscript (a . , . 


Automatic/Manual Fault 
e) : Flight Phases 











>-* 

tn 

00 


TABLE 40. -MATHEMATICAL DESCRIPTION OF NOMINAL MANUAL CONTROL (BACKUP SYSTEM) 
FLIGHT PHASES 


PHASE 


cvqTFM 

. PILOT 

MODEL 



MATRICES 

ESTIMATOR 

CONTROLLER 

FUNCTION 

COMMENTS 

F_„ ,G_„ 
roa ’ ma 

\a 

ma 

^ma ’ ®ma 

Approach flaps, gear 
down, loose tracking 


K^.b 

mb 

^mb ’ ®mb 

Curved, descending 

^mc * ^mc 


me 

^mc ’ ®mc 

GS = 5®, landing flaps, 
decelerating 


"md 

md 

■^md ’ ^md 

GS = 2.8®, tight track- 
ing 

F , G 
me * me 


me 

^me *®me 

Flare i 

_ ! 










Thus, to thoroughly evaluate the overall system performance, 
linear perturbation models must be constructed for each of these 
phases, and the covariance propagation program must be exercised 
to sequence through the entire trajectory. 

Two flight phases are singled out for further comment, namely, 
flate and go-around. During the flare phase, the system model is 
essentially nonlinear due to the flare control law and the ground 
effect on aerodynamic coefficients. Consequently, a sequence of 

models rather than a single model is needed to represent this phase. 
For go-around, the aircraft controls are at their limiting values, 
and again, a sequence of models is necessary to describe accurately 
the transition from small signal perturbations to a limiting control 
situation. 
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APPENDIX C 


STATISTICAL TESTS 


Depending on the hypothesis being tested, a number of statis- 
tical tests can be used [22-25]. The applicable tests, to detect 
changes in the mean and variance, are presented in Table 41. This 
table categorizes the statistical tests according to the hypothesis 
and whether the sample is univariate or multivariate. Let 
be a sample from a normal distribution with constant mean and 

variance a^. To test whether a given sample {x.} satisfies the 

^ 2 2 2 ^2 
null hypothesis (a = a ) or the alternate (a p a ) one can per- 

o ^2 

form either a likelihood ratio test [22] or a chi square test. 

Even under the assumption of normality and independent sample 
assumption, the likelihood ratio test is a complex function of the 
sample variance. Analytical or empirical results on the distribu- 
tion of the likelihood ratio tests, necessary to compute test 

thresholds, are not available in literature. Therefore, in prac- 

"2 

tice, a chi square (y ) test from the null hypothesis (denoted by 
2 

H : a = is used. This test is also used here, for detecting 

univariate variance changes as documented in Table 41. 


The statistic for the 


test is 


which under has 
freedom. 


(n-l)_ 

2 

2 

a y distribution with 


V = n- 1 


(62) 

degrees of 


The usual central region is thus made up of 

and 

where 


(63) 

(64) 
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TABLE 41- -APPLICABLE PARAMETRIC STATISTICAL TESTS 


HYPOTHESES 

UNIVARIATE 

MULTIVARIATE (ONE-SIDED NOT APPLICABLE) 

MEAM 

%■ ^ “ ‘‘o 
^ % 

a KNOWN 

a UNKNOWN 

a KNOWN 

a UNKNOWN 

Z TEST; 

7 1 

h ' 1 rr 

r: CORRELATION 
COEFFICIENT 
(BI -VARIATE) 

t TEST: 

ROBUST TO NOR- 
MALITY ASSUMP- 
TION n 

X = i EX, 

n 1 

TEST 

(VECTOR 

CASE) 

T^ TEST: 

T^ = Nd-y^)"^, S'^(X-y^) 

T^ = (N-1) - 1) 

S = COVARIANCE MATRIX 

X„ - CONFIDENCE LEVEL SETTING 
0 

VARIANCE 

MAXIMUM LIKELIHOOD TEST 

MAXIMUM LIKELIHOOD TEST 

«r ”''"’0 

a >a ^ 
0 

LARGE SAMPLE APPROXIMATION: 
y KNOWN/UNKNOWN 

y2 _ (n-l)S^ *S^“ E fX -X)^ 

Xq —2 n-1 1 

0 ^ ^ 

NOT ROBUST TO NORMALITY 
ASSUMPTION 

LARGE SAMPLE APPROXIMATION: T^ 

U KNOWN/ UNKNOWN 




sample variance (65) 

sample mean (66) 


2 2 

For one sided tests with the alternate hypothesis o ^ 
central region is 

x5.^(n-l)}/(n-l) (67) 

2 

A 100(l-n)% confidence interval for a is 

(n-l)sVxt„/2f"-” ' ^ (68) 

The probability, P, depends on the alternate hypothesis. For 

2 

example, if the alternate hypothesis is (Hj^: a > o^} then, 

P = Pr(x^(n-1) > Xq} (69) 

However real sample data (x- } are usually correlated. Since the 
2 ^ 

X test assumes random samples, the test results will be degraded. 
In other words, probability of false alarm ri will in general be 
larger than the value assumed in the calculations preceding this 
test. An empirical study needs to be conducted to evaluate the 
effects of departures from the underlying assumptions. 

Another source of error includes deviations from the assump- 
tion of normality. The chi-square test is not robust with respect 
to the normality assumption. Sensitivity of the test to deviations 
from normality can be studied empirically. 

To test the hypothesis that the mean y is equal to some 
constant y^ (denoted by H^: y = Vq) » the t test is used when 


(n^) 


^^2 


X = 


1 ^ 
n i=l ^ 


and 


= false alarm rate. 
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is unknown. The t test statistic is [24] 





( 70 ) 


which under has a student's t distribution with v = n-1 

° 2 

degrees of freedom. As in the x test, the P value depends 
on the alternate hypothesis. When the alternate hypothesis is 
{Hj^: y y^}, then 


P = 2Pr{t(v) > lt^|} (71) 

An interval estimate for y is given by the 100(l-n)% confidence 
interval 

"" ■ ^l-(n/2)<^"‘^) s/ /E, X + S//H *^^2) 

where (ri/2) 100 [1- (n/2) ] th percentile of the 

student's t distribution with v = n-1 degrees of freedom. This 
interval is used to test y = y^} against (Hj^: y ^ 

Hq is rejected at level p if y^ falls outside this confidence 
interval. Unlike the x^ test, the t test is known to be robust, 
that is, insensitive to moderate deviations from the assumption 
of normality, when the sample is random. 
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